1. Identify Your Most Critical Assets, Where They Reside, and How You Value ThemDo you know how many organizations don’t know where all their stuff is? When I mean “stuff,” I mean critical, super important stuff, like customer information, critical intellectual property, investment-related information, merger and acquisition-related information, critical manufacturing plans, and other personally identifiable or miscellaneous information (e.g. maybe data regarding their core sales drivers). Once that task is complete, companies then need to map that data to a location, i.e. is it stored locally in the network server room, or is it in a cloud environment? You have to start somewhere with information management governance. Finding out where your stuff is a good start.
2. Protect Which Matters MostOk then, your business is that of a regulated investment advisor. Your business sells the most delicious French toast ever made (using a recipe thought up by your wife), and it's made and distributed through a plant in New Jersey that is run by both your IT network and by various industrial control devices or SCADA systems contained throughout your factory. The factory is your lifeblood. If it isn’t running, you can’t make the French toast, and trucks can’t deliver it to food stores around the NY tristate area. And if it can’t get to food stores, your business is toast. So clearly you have three separate sources of critical information (“your crown jewels”) that need protecting – your basic IT network, your industrial control systems in your plant, and your client lists of the various food stores where you sell your French toast. How are you protecting this data? Really think about the question in detail:
- Do you have next generation firewalls to catch bad code before it enters your network and ICS devices and encrypts your files?
- Do you patch your AV software as required to stay fully up to date on variants of ransomware? How quickly to patch “critical updates?” ASAP or whenever?
- Do you conduct quarterly anti-spearphishing training for your employees so they don’t feel compelled to “click on every link”?
- Do you have a DMARC or other email hardware/filter that will catch or sandbox suspicious socially-engineered or spoofed email before it encrypts your files?
- Have you recently tested or “red-teamed” your ICS or SCADA systems to see if they can be (1) hacked, or (2) need to be patched, or (3) are otherwise subject to encryption coded commands that will shut your factory down
3. Test Your Recovery and Back-Up Systems Constantly – and Segment Your Back Up from Your NetworkSo your employee clicks on a link from the King of Arabia looking for his King’s Ransom, and your business gets “ransomwared” instead. The Recovery element of the NIST recommends the following: have processes and procedures in place to have your files backed up on a regular basis, stored off-site, tested periodically, and ready to employ on little to no notice if your files get encrypted, and you need to restore your network from the last available moment before the ransomware went live. In enterprise risk management language, this is called “business continuity planning” or resiliency. In reality, this is called common sense. Understand that you will be hacked. And be ready to react at a moment’s notice. There are so many variants of ransomware to which neither the NIST framework nor this article can do adequate justice. But using the Framework as a basis to re-evaluate your ransomware defenses is a perfect solution to a moving-target problem that calls not just for one solution or many solutions. As we enter 2016, and as the Framework approaches its second birthday, we are again urging client’s to use its core precepts to re-evaluate their defenses against all threat vectors. There is ghostware, stealthware, and other silent vectors to strike. Use the Framework as your “Seal Team Six” to fight back.
 See “Ransomware rearing its ugly head, goes after business,” available at http://www.welivesecurity.com/2015/12/28/cybercriminals-targeting-banks-ransomware/. There are variants to the general scam. Sometimes data is exfiltrated during the particular attack to another location, and if the ransom is not paid, the attacker promises to post your confidential data on internet bulletin boards for all to see. See e.g. “The NIST Cybersecurity Framework – Encouraging NIST Adoption Via Cost/Benefit Analysis,” which is available at http://csrc.nist.gov/organizations/fissea/2015-conference/presentations/march-24/fissea-2015-ferrillo.pdf. This is a presentation I gave to NIST officials last year. See e.g. “Millions of children's data hacked after 'biggest ever cyber attack' on toy firm,” available at http://www.telegraph.co.uk/news/uknews/law-and-order/12051439/Millions-of-childrens-data-hacked-after-biggest-ever-cyber-attack-on-toy-firm.html. See “Ransomware: Refusing to Negotiate with Attackers,” which is available at https://www.tripwire.com/state-of-security/security-awareness/ransomware-refusing-to-negotiate-with-attackers/.