With the coronavirus pandemic well underway, the last thing information security professionals want to deal with are the devastating effects of ransomware and phishing attacks. Many are hoping the steps they have taken thus far to educate users, identify vulnerabilities in their enterprise, segment their networks and create communications pathways with their peers will help lessen the impact when cyber attackers come calling.
"Ransomware and phishing are always on my mind, keeping me awake at night. Yet, they aren't something that you as a leader can fix on your own," said Michael Sherwood, chief innovation officer for the city of Las Vegas. "We need to rely on the whole community being diligent and knowledgeable as our first line of defense."
Ransomware is a type of malware in which a hacker locks a user's computer, encrypts sensitive data and then demands a ransom to unencrypt the data and unlock the computer. Hackers sometimes use phishing or fraudulent emails that link to malicious code to gain access to usernames, passwords, credit card numbers and other sensitive information to carry out nefarious acts, such as identity theft.
In January, the city of Las Vegas experienced a high-profile ransomware attack, but the IT team was able to detect and contain it without paying a ransom, according to Sherwood, adding that name recognition continues to make Las Vegas an attractive target. While the city spends a lot of time and resources on reinforcing network and endpoint security, Sherwood believes it all starts with user education.
Sherwood joins other IT pros in offering the following advice to prevent cyber attacks.
User awareness and training
"We want to create a well-trained, well-educated user base by getting people to really pay attention to emails they receive and to have good computer hygiene as well," Sherwood said.
As a basic step, the city's 3,500 employees are required to take online cybersecurity training twice a year, and the information security team delivers an electronic newsletter twice a month that covers security trends, concerns and changes users can make to improve security.
Jeff VlachTechnology manager, Texas State Aquarium
Perhaps the most powerful tool in the city's toolbox, however, is its third-party phishing experiments in which users are sent real phishing emails in a controlled manner so IT can see which users are likely to open the company up to dangerous payloads. Susceptible users are given further training.
Jeff Vlach, technology manager at Texas State Aquarium in Corpus Christi, Texas, agreed that all users should be aware of their role in securing not only their personal data, but the organization's data as well. "The human factor is a large part of an organization's security. All it takes is one person to make a bad decision and your security system can be thwarted, no matter how much money you've thrown at it," he said.
To hammer home the importance of employee diligence, Vlach hopes to carry out a phishing test on the aquarium's 250 employees. At a previous workplace, he tested 30 users with a phishing email, and 29 clicked on the alleged malicious link. "Not only was that a good opener to start discussions with employees, but it also was a good way to show management the need for a training program budget," he said.
Vlach sends emails out a few times a month at the aquarium to educate users. Instead of only talking about how to secure corporate data, he focuses on how they can secure their personal data in hopes that it will bleed over into the business realm. "I got a much higher read rate -- 300% higher -- on the tip emails when I focused on how to protect their bank accounts and other personal information," he said. Inserting humor, what he calls "water cooler language," and explanations also engages users to read his tips the whole way through. "People don't like being told what to do without knowing why." For example, explaining the business reasons for the aquarium's recent move to a 10-character complex password for system and application logins resulted in greater buy-in from users.
Simulations and testing
Simulations and testing must go far beyond the human factor to ward off malware. At Options Clearing Corporation (OCC), a financial services firm based in Chicago, David Muran-de Assereto, first vice president and deputy CSO, encourages his security team to "think like a criminal" and figure out the importance of each byte of data. "I always want to know who wants to get at the data and what they can do with it," he said.
He sets up complex simulations that plot out "extreme but plausible" scenarios. He then hands that threat intelligence to a member of his team and says, "Go pretend you are a bad guy, and try to achieve these things." The process and outcome are analyzed and turned into stronger security practices. He also invites independent third parties in to validate the testing and the ensuing best practices.
Performing these blue team-red team exercises, where the blue team assesses the threat and the red team tries to carry it out, exposes vulnerabilities before hackers can. For years, Muran-de Assereto hesitated to move any data into the cloud due to security fears. But the threat vector simulations have helped assuage his fears, and OCC aims to be operational in the cloud within a couple of years. "The environment -- on premises or cloud -- no longer matters as long as we're using modern, agile and secure technologies," he said.
Christopher Frenz, assistant vice president of information security at Interfaith Medical Center in Brooklyn, New York, said his team has been simulating ransomware outbreaks since 2015, two years before the WannaCry ransomware virus. "We started to see the writing on the wall that hospitals would be attacked and decided to simulate our own risk," he said.
His team used the European Institute for Computer Antivirus Research, or EICAR, test, a tool available for free online that sends out a harmless string of characters recognized by the antivirus software companies as a virus to see how ransomware would spread through the health system's network. What they discovered was a need for a tighter stance on network communications.
The team virtualized and microsegmented all servers in the network using VMware's NSX network virtualization and security platform, coupled with network access control, "so servers could only communicate with the devices they had to." They also deployed virtual desktops and locked-down PCs so the PCs can only communicate with their server subnet, not with one another. "If a threat were to impact one PC, it would stay contained to a single infected device," Frenz said. Shrinking the data center footprint with virtualization helped mitigate the cost of the project.
Frenz said the virtualization and microsegmentation have not been rushed because, "in health care, patients depend on these systems, and you don't want to break anything."
Already, the simulations and rearchitecting of the network have paid off. Recently, a hard drive in a hospital X-ray machine failed, and the biomedical team had to clone another hospital's X-ray machine hard drive to reinstate functionality. When the machine with the cloned drive was put back into service, the Interfaith Medical Center information security team received an alert that its own X-ray machine was infected with malware, but because of the microsegmentation, the malware did not spread. "Network segmentation kept the problem restricted to just that one device," he said.
Ongoing simulations and testing are essential to identify what works and what doesn't work. "There is always room for improvement," he said.
"My focus in the past has always been on preventive measures, but ransomware has changed that. We now have to spend as much time thinking about how we are going to recover from an attack," said Matthew Frederickson, director of information technology at Council Rock School District in Newtown, Pa.
This epiphany came after a nearby school district was hit by ransomware, and it took the district nearly two years to recover. "Every week, there's another school district attack. We've had to invest in technologies we haven't had to before," he said. Top of his list: proactive endpoint protection.
The school district deployed Deep Instinct, cloud-based endpoint security that scans data from desktops, laptops, tablets and smartphones and uses deep learning or AI to predict whether data includes a malicious file and then prevents it from doing any harm. "If something doesn't look right, it stops the data and asks our team if it's OK," Frederickson said.
Adding another layer of security in the form of endpoint protection for the district's 13,000 users had a slight, almost imperceptible performance cost as all data is reviewed by Deep Instinct. Frederickson has found the delay to be minimal, and users recognize it is in their best interest. "I think there's always going to be that sweet spot between protection and performance. When things get too structured, you get shadow IT. However, I do think users are more accepting if it's for their protection," he said.
Communication with peers
While all of these moves to limit the impact of ransomware and phishing are helpful, Sherwood said one action could mitigate damage even more: if IT leaders alerted industry peers when a ransomware attack happens.
"Sharing this information in real time is important. Right now, when one city gets hit by ransomware, we only know because a journalist posts it," he said. He'd like to see an early warning system developed akin to the emergency broadcasting system.
"It's OK to ask for help, to build relationships with other parties outside of your own organization, so [when an attack happens] you aren't just relying on internal resources," he said.