Ransomware Advice – who needs it?
By Vernon Kitay, Head of GRC & VCISO
The US Cybersecurity and Infrastructure Security Agency (“CISA”) which is part of the Department of Homeland Security has recently issued guidance on the threat and response to Ransomware. By the time you get to this second sentence of the blog, you’ve probably eagerly clicked away at the provided link (above) and readied yourself to soak up the pearls of wisdom to follow as a guiding light.
My guess is that by now, you’re probably thinking “Is that it? Is that all there is to it?”, and the reason for the sense of deflation may well be that the ‘wisdom’ offered is as old as the hills, and you’ve probably heard it all before. Indeed, reading recent headlines on Cybersecurity failures and data breaches, it becomes increasingly obvious, and to some extent rather annoying, that the failures are no closer to rocket science than are my artistic endeavours to those of Leonardo da Vinci.
The key “CISA” recommendations flow from technical actions to a high-level view as follows (my additions in italics):
|1. Backup your data, system images, and configurations and keep the backups offline (obvious of course, but don’t omit to test recovery periodically)|
|2. Update and patch systems (at all layers, and in good time)|
|3. Make sure your security solutions are up to date (along with appropriate access controls)|
|4. Review and exercise your incident response plan (and don’t forget to refer to in the event of an incident)|
|5. Pay attention to ransomware events and apply lessons learned (including of others)|
PCI DSS Relevance
By the way, if you’re expected to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) then you’re required to have these controls in place anyway, as well as evidence of how you’re getting assurance that they’re operating effectively.
While this guidance is rather simplistic, the advice page does link to more comprehensive detail on all areas, the most interesting of which is ‘Questions Every CEO Should Ask About Cyber Risks’. This starts off with a focus on raising the level of Governance to the Executive, implementing a comprehensive Risk Management Framework, and deploying and assuring controls to mitigate risk and compliance requirements across the business’ key systems and data.
Recent Events as Indicators
Looking at recent cybersecurity failures, we can see a combination of gaps, both technical and high-level governance. As an example, at Suprema in August 2019, where unencrypted fingerprints of over 1 million people, as well as facial recognition, passwords and other personal information, was accessed. Bearing in mind that:
|1. biometric data is considered the most sensitive under GDPR, and requiring the highest level of controls, and|
|2. once breached, unlike passwords, fingerprint data can’t be changed|
How could it be conceivable that this would be stored in unencrypted form? Clearly a lack of technical controls, but simultaneously a lack of Governance oversight that would have to ensure the appropriate controls were prescribed.
In the Capital One breach on March 2019, and identified in July 2019, a hacker exploited a misconfigured web application firewall to access 100 million Capital One customers’ accounts and credit card applications going back 14 years. Again, a combination of technical gaps (configuration and encryption) combined with Governance failures.
The breach of Choice Hotels customer data, also on July 2019, resulted from actual data of 700k customers being included in dummy test data, hosted on a 3rd party server. Choice Hotels were reportedly evaluating other vendor relationships and looking at additional controls to prevent future breaches, an activity we would consider to be long overdue.
The Executive needs to maintain oversight and engagement for effective Governance over systems and data, to ensure that risks are properly assessed, and appropriate controls implemented. The supply chain is becoming increasingly vulnerable, and management of risk should not stop at the perimeter of our systems, but at the outreaches of our data.