Ransomware has been around for more than 30 years. But, like every component of technology, it has evolved. It is no longer an occasional expensive nuisance. It is now a rampant plague with existential implications for individuals, businesses, government agencies and, most ominously, critical infrastructure—energy, transportation, food supply, water and sewer utilities, healthcare, and more.
The May 2021 attack that prompted Colonial Pipeline to shut down its 5,500-mile pipeline, cutting off nearly half the fuel supply to the U.S. East Coast for the better part of a week, is just one example. The resulting panic buying and major price spikes demonstrated yet again what multiple experts have warned for decades: criminals or national adversaries don’t need bombs, missiles, or bullets to cripple an adversary. They can do it with keystrokes on a computer.
So why aren’t the private and public sector organizations that are the targets of these attacks taking what would amount to a wartime footing to fight back? Well, they are, sort of.
The White House issued a memo last month urging business leaders to act immediately to improve their resistance to ransomware attacks. President Biden also confronted Russian President Vladimir Putin, at least rhetorically, when they met last month, about that country being a safe haven for ransomware criminals.
But organizations don’t have to depend on international diplomacy for better protection against ransomware attacks. They can simply follow the recommendations in the memo. There is little new in it because the ways to fight ransomware are well established and effective.
Ways to fight ransomware:
- Build, maintain, and distribute secure software: While the Colonial Pipeline attack was enabled by the theft of a password, better software security is still the most effective defense against hackers. That means all the software that an organization builds or acquires from other vendors or from the open source community.
This requires a secure software development life cycle, which should start with an architecture risk analysis to find and fix design flaws, and threat modeling to identify the ways malicious hackers might attack.
Next, automated tools for static, dynamic, and interactive application security testing along with software composition analysis will help developers find and fix known vulnerabilities and potential licensing conflicts in open source software components.
At the end of development, penetration testing can mimic hackers to find weaknesses that remain before software products are deployed. If an organization needs more expertise or capacity, managed services providers can guide it through the process.
- Back up data regularly: Also, keep backups offline and not connected to the network.
- Update and patch: Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open.
- Train workers: Most employees want to protect the organization’s assets. But if they fall for a phishing email, reuse passwords, or don’t create complex ones, that can trump the best technology in the world.
- Limit access: The more employees with access to sensitive data, the greater the risk. Network segregation can limit access to only what employees need to do their jobs.
For years, many organizations have said they have neither the time nor the money to implement those protections, and that hackers wouldn’t be interested in them anyway.
But “security by obscurity” doesn’t work; the cost of paying cyber criminals and recovering from a ransomware attack will be greater, by orders of magnitude, than any savings from failing to implement good security.
Better security is an investment. While you may never know the ROI from it, that’s the point—you don’t want to know.
Taylor Armerding, Security Advocate, Synopsys