The City of Atlanta is still trying to recover from the March 2018 SamSam ransomware attack that demanded $51,000 in bitcoin. More than one-third of the city government’s online systems were frozen, and staff were initially told not to turn on their computers in case the malware spread. Atlanta’s public safety services, such as 911, police and fire rescue, as well as Hartsfield-Jackson Atlanta International Airport, were mostly unaffected.
When the attack occurred, the city was in the process of improving its cyber defenses following an internal audit report. Chief Audit Executive (CAE) Amanda Noble says it is too early to tell what lessons can be learned from the incident, but she says the fact that most emergency services stayed up and running suggests that the city had done a good job of segmenting its network before the attack — one of the audit recommendations.
Noble says about 600 of the city’s 8,000 computers were affected. What struck her most immediately following the attack was the difficulty communicating throughout the city without email. Because local device hard drives had been potentially compromised, it was important to identify which ones were impacted before giving people access to their equipment.
“The day after we learned of the attack, building security was passing out notices asking staff not to use their computers,” she says. While the City Auditor’s Office had done a business continuity audit for the city, they had not done one for her own department. Auditors were locked out of their laptops for several days.
She says that organizations prioritize their most sensitive assets first — which is only natural — but they should be looking at how the entire enterprise can be affected during an attack, whether they have the resources in the short term to deal with those other areas or not. “It is worth remembering that Atlanta was not a uniquely vulnerable organization and that this was not a particularly sophisticated attack,” she says. “Organizations should start approaching this by thinking in terms of not if this will happen, but when. Think about how to recover and about your communication plan.”
To Pay or Not?
Initial clean-up costs in the weeks following the Atlanta attack have been widely reported to have topped $2.6 million, with more remediation efforts needed longer term. In June, Daphne Rackely, the city’s interim chief information officer (CIO), requested an additional $9.5 million for recovery efforts from city council as the city continues to find more problems with its systems, including the loss of more than a decade of legal documents and years of police dash-camera footage.
Ramsomware is a specific type of malware that infects computers and mobile devices and, in doing so, restricts users’ access to files. Attackers often threaten to permanently destroy data quickly unless a ransom is paid — or they increase the size of the demand incrementally each time a deadline for payment has been reached. The initial ransom demand can be small. So, with recovery effort amounts in Atlanta now topping $14 million vs. the total reported ransomware demand of $51,000, why not just pay?
Official government advice in the U.S. and U.K. is not to pay. “From the U.S. government perspective, we definitely discourage the payment of ransom,” Neil Jenkins, former director of the U.S. Department of Homeland Security’s Enterprise Performance Management Office, told the online magazine ZDNet last year. “From a national perspective ... paying ransom encourages the business model,” he said. “The reason this has become such a popular thing to do is they’re actually making money off of this.”
Cyber defense experts tend to agree, even though the financial calculations may initially make payment attractive. “If you are a CEO losing $100,000 a day and the ransom is $300,000 in bitcoins, you could potentially get your money back in three days,” Raj Rajamani, vice president of products at endpoint protection company SentinelOne in Mountain View, Calif., says. “But in the longer term, you are paying the attackers to become more sophisticated by helping them reinvest in building better attack technology.”
Not only that, but paying ransom does not work in most cases. According to the SentinelOne Global Ransomware Report 2018, of the 45 percent of U.S. companies impacted by ransomware in 2017 that paid at least once, only 26 percent got their systems back from the attackers. Seventy-three percent of those that paid were attacked again. For most, paying was a lose-lose scenario.
Most worrying, 44 percent of respondents claimed that ransoms have been paid without the involvement or sanction of IT and security teams. “Depending on how high up in the organization the employee is and what kind of data has been stolen, maybe he or she doesn’t know how to react, sees it as their fault, and wants to hide it under the radar until the data can be retrieved,” Rajamani explains. “The intention is understandable, but the reality is you are putting the rest of the organization at risk.”
Organizations need to accept that people make mistakes and that if they become a victim of ransomware, they should feel free to raise their hand and tell someone immediately, Rajamani says. “These attacks are inevitable, so organizations should avoid creating a culture of fear where people feel they’ll lose their jobs for coming forward with a problem,” he adds.
Make Routines Routine
Six Steps to Better Security
As ransomware is on the rise, Michael Lisenby, managing partner at Rausch Advisory Services LLC in Atlanta, gives advice for minimizing the odds of an organization falling victim to an attack.
- Establish security awareness campaigns that stress the avoidance of clicking on links and attachments in email from unknown senders. That could include, for example, the technology department running phishing campaigns, which internal audit evaluates in terms of the effectiveness of the organization’s training and education processes and to identify frequent offenders.
- Ensure antivirus software is installed and is up-to-date across all endpoints within the business. Antivirus software on its own is unlikely to be enough, so the organization may also evaluate next generation antivirus programs that include endpoint protection. This can look for ransomware attempts and provide IT with the ability to monitor attacks to stop them from spreading. Internal audit should be looking at the cyber defense IT road map and strategy and evaluate configurations.
- Use content scanning and filtering on mail servers. Inbound emails should be scanned for known threats and should block any attachments that could pose a threat. While spam protection should identify and block a lot of these attacks, advanced threat protection tools should be inserted into the mail flow, which will look for and quarantine unsafe messages that may contain malware, for instance. It can also scan URLs to ensure phishing attachments are identified and protected.
- Restrict users’ ability (permissions) to install and run unwanted software applications and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- If the data is backed up to an external storage device, remove the device after backup so that if ransomware does infect the computer, it won’t be able to spread to the device. Where organizations depend on cloud backup, ensure there is off-site replication of essential data.
- Apply a patch management system, making sure all desktop clients are fully patched. Ensure the system is patching commonly exploited third-party software — such as Java and Adobe Flash — which will prevent many of these types of attacks from being successful.
Organizations need to ensure they are paying close attention to basic IT routines. “The reason attackers are able to get in and get this kind of control over companies’ systems is because the company has failed to do something it should have done,” says Neil Frieser, senior vice president of internal audit at telecommunications company Frontier Communications in Norwalk, Conn. And internal audit’s role is to understand whether basic security policies and routines are in place and have been followed.
“Failure to patch vulnerabilities in a timely way is No. 1 on the list of cybersecurity issues,” Frieser says. Manufacturers regularly update their hardware and software with patches that help to protect those devices and programs from attack via vulnerabilities. Unlike consumers, who can generally download the latest updates with the click of a button, companies have to ensure that when they apply a patch to a particular system, it will still work as intended on the network. Frieser says it is critical for someone on the network infrastructure team to ensure that patching happens timely across the organization.
“I’m a big believer in the concept that routine things need to be done routinely and patch management falls into that,” he says. “It has to be a priority because it only takes one vulnerability to create potentially serious problems.”
During Frontier’s annual cybersecurity audit, Frieser’s team looks to see whether the business has any exposures on patching that are known about, but not yet dealt with. They also look at the process. “Just because there are no outstanding issues does not mean that the patching process is good,” he says. “Someone may have just done the patch updates because they knew the auditors were coming.”
The other major issue for Frieser is access reviews. Auditors should be periodically looking at all of the users in key systems. Generic IDs and passwords should be weeded out. Key questions to consider, he says, are whether there are IDs that have not been used for long periods or IDs that are associated with people who are no longer with the company or with people who have changed roles and no longer need the same access levels.
“If you have a generic ID for administrator, with “admin” set as the password — and where it’s shared — it is crazy to have that in your company’s infrastructure,” Frieser says. Privileged access is a critical area for auditors to focus on, because hackers who get into the system can begin to shut things down associated with that access point — and potentially hold the business for ransom.
While organizations and auditors are generally aware of both of these key areas, they need to be constantly monitored. “Issues often arise due to laziness,” he says. “For example, someone might set up a generic admin ID and password in the throes of implementation, which they intend to change, but then forget about it and it becomes a vulnerability.”
The People Factor
Even with good controls over patch management and access rights, organizations can still be at risk of a ransomware attack.
“A lot of technical security has been commoditized to the extent that it is hard to switch off the safety measures in the software where it has been properly patched,” says Edward Wolton, deputy CEO at the London-based security consultancy Templar Executives. “People are often the greatest vulnerability, especially if they do not know what to do in the case of an attack.” Organizations need to put in place training for all personnel and have a well-circulated policy on what to do in case of a security breach.
Boards Are Paying Attention
One of the more fortunate side effects of recent attacks, such as that on the City of Atlanta and last year’s WannaCry that affected the U.K.’s National Health Service (NHS) among many others, is that it has brought the issue into the boardroom. In May 2017, WannaCry caused the NHS to cancel 20,000 hospital appointments and affected 80 of its 236 Trusts, which are responsible for running the organization’s health services — everything from hospitals to ambulance services — as well as hitting 200,000 computers in at least 100 countries. An April 2018 report by the U.K. government’s House of Commons Committee of Public Accounts said the attack most likely exploited unpatched vulnerabilities in Windows XP — even though the NHS had been warned about the dangers repeatedly since 2014.
Wolton says media coverage of the NHS attack in the U.K. suddenly made organizations and their boards pay attention and has, in some ways, made ransomware less of a threat due to raised awareness. It also has provided CAEs with an opportunity to advocate for cybersecurity to be moved further up on the agenda. “Traditionally, responsibility for IT security has been pushed downstairs by the board to the CIO,” Wolton says. While many CAEs are not on the board, he advises them to ensure there is board-level sponsorship for the issue — and that the sponsor really understands the nature of the threat to the organization.
“While it is changing rapidly, too many businesses fail to have a senior-level sponsor who understands the risks and the level of network and governance controls needed to minimize the threat,” he says. In devising a policy on ransomware that spells out the organization’s response, boards will need to decide on the level of risk they are prepared to accept and review their backup policies and procedures. If they decide that in certain circumstances they will pay the ransom, they will also need a cryptocurrency policy and capability.
Internal audit has an opportunity to educate the board and expand its influence. From a board perspective, internal audit should be working with boards to develop reporting metrics and monitor protocols to evaluate the organization’s cyber defenses and, in turn, help mitigate the risk of future attacks.
Recovery From an Attack
Wolton says organizations have become a victim of progress when it comes to backing up critical information. Twenty years ago, for example, most businesses had separate monthly, weekly, and daily backups, with the first two types being stored off-site. Today, many rely on continuous cloud-style backups. With this newer technology, it can be difficult to wind the clock back after a ransomware attack and identify when the system first became infected. That is why a robust backup policy and detection capabilities are crucial.
In fact, while awareness of ransomware threats is rising, many organizations are not looking at the problem from a recovery perspective. “A lot of CAEs and CIOs are now doing risk assessments on ransomware, but fewer are considering it from a disaster recovery perspective,” says Michael Lisenby, managing partner at Rausch Advisory Services LLC in Atlanta. Lisenby says CAEs should be approaching the problem from the perspectives of prevention, detection, removal, and recovery.
“That entails conducting table-top scenarios with all those who are likely to be involved in dealing with a ransomware crisis,” he says. The more the team members have practiced the routine, the less likely they will be surprised by their vulnerabilities. In the Atlanta and NHS attacks, for example, the reality of having to communicate without emails had not been fully tested. Lisenby says it is worth the team considering the threats to their operations both from a business and an IT perspective to get a full view of the enterprisewide nature of the risks. Because the entire organization is affected, he says the heads of legal, finance, human resources, IT, risk, internal audit, and others should be involved — as should regulators, where appropriate.
“This is not a once-in-a-lifetime exercise, it has to be done annually,” Lisenby says. That is because the nature of ransomware attacks and their impact on an organization are constantly changing. For example, Internet of Things (IoT) devices are opening up new and unlikely vulnerabilities. “I know of a casino where player data was stolen from its systems,” he says. The culprit? A smart thermostat in an aquarium on the shop floor.
“There are products out there that enable you to scan to see if IoT devices have been added, and you can make sure they are segmented from the network and access of least privilege is associated with them,” Lisenby says. “But only if you keep on top of the issue and make sure you have the right routines in place.”
Best to Be Prepared
Ransomware attacks are simple and effective. Organizations need only one point of weakness to be vulnerable, so, as Noble says, it is more a case of when it happens, rather than if it will. Having a proactive approach to the problem with regular and effective training for staff across the entity is a good place to start. But organizations also need to have well-tested plans for when an attack strikes successfully, with effective data protection systems in place and business continuity routines that work.