Get Our 6 Tips for Protecting Against Cybersecurity’s Biggest 2016 Story
While the Zika virus has garnered serious press this year, another plague is sweeping the country, but getting far less media attention outside of cybersecurity circles. However, FBI Director James Comey warns that this very real threat—ransomware—is “spreading like a virus.” As it does, it has become one of the biggest cybersecurity threats of 2016. And it’s time to bring this tech story into daylight, because ransomware threatens us all.
Ransomware Uses Social Engineering Methods to Manipulate and Infiltrate
Most common criminals prefer simplicity—the easy grab-and-go heist—because less time, money and risk are required, increasing the return on their larcenous efforts. If it’s a choice between stealing a car with the keys in the ignition or a locked car, it’s a no brainer; the smart thief always chooses the former.
Cyber criminals are no different, even though they operate in the digital, versus the physical, world. They seek the path of least resistance, and social engineering provides them exactly that. This attack methodology, which preys on the essential human instinct to trust and be helpful, has been a key tool in the cybercriminal arsenal since the 80s and 90s, but over the last few years, it has taken a very nasty and dangerous turn with the introduction of ransomware.
Ransomware at Work
Similar to ordinary phishing attempts, a ransomware attack often starts with a legitimate-looking email that actually is from a nefarious actor. It can contain a hyperlink that leads to a hijacked or malicious website, but more commonly today, it includes an attachment, like a Word or Excel document, which contains a macro built with malicious intent. Clicking on the malicious link—or opening the document and allowing the macros to run—installs malware that encrypts all data on the recipient’s computer as well as on any network data to which it has access. The legitimate end user, and possibly the entire organization, is locked out. The hacker holds that data and network captive until a ransom is paid.
The Danger Increases
In April, the FBI warned that, “Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam emails, but because email systems got better at filtering out spam, cyber criminals turned to spear phishing emails targeting specific individuals.” Cyber criminals scan social media and other public sites looking for information to help them choose their targets, typically people in key roles within organizations. The result is an email that appears legitimate (i.e., from someone in accounts payable or sales) and a document that needs attention by the recipient (i.e., an invoice or a customer request).
The High Cost of this Hacking Methodology
Based on FBI reports, CNN Money published the cost of ransomware for first quarter 2016. “Cyber criminals collected $209 million in the first three months of 2016 by extorting businesses and institutions to unlock computer servers.” On its own website, the FBI indicated that “if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.”
The Damage Can Be Devastating
The FBI describes the catastrophic impact of these attacks, including “the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.” In his speech to the International Cyber Security Conference, Director Comey characterized hackers’ intentions: “What they’re after is obvious: information and access and advantage and money. Increasingly we are worried not just about the theft of data but the corruption of data, and the denial of access to our own data in cases like Sony.”
The Rate of Attack Is Exploding
Since 2005, more than 7,700 ransomware complaints have been submitted to the Internet Crime Complaint Center (IC3), yet the 2,453 complaints it received in 2015 alone account for almost one-third of that 10-year total. This ransomware explosion is occurring because cyber criminals figured out they could monetize their social engineering attacks, thereby enriching themselves in the act of paralyzing their victims.
Multiple Layers of Security Provide Best Inoculation
For most viruses, there’s a way to protect yourself, and the same holds true for ransomware. There are ways to protect your institution from falling victim to an attack, as well as ensuring it can recover from an attack without catastrophic consequences.
These six steps form the basis of that antidote:
Educate Your Employees
In the current environment, once-a-year cybersecurity training is not enough. Institutions must conduct ongoing awareness campaigns that continually educate their employees about cyber-criminal behaviors, motivations, methodologies and trends. In addition, these campaigns should reinforce your policies and procedures, including actions employees should take to prevent their inadvertently becoming a victim of ransomware or any other type of malware.
Disable Macro Scripts from Microsoft Office Files
Don’t open the email or click the link if you don’t know the sender used to be the mantra. That is no longer adequate, as the “sender” can appear to be a known individual, and it isn’t just a link to avoid; it’s a tempting document to open. Remind your employees that if they do try to open such a document, they will likely see an “allow content” message, which enables the use of macro code, the medium used to inject the ransomware. Beyond this employee education, institutions should take the enterprisewide step of disabling macro scripts from Microsoft Office files sent via email. In its own recent awareness campaign, the FBI also recommends that organizations “implement software restriction locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).”
Closely Manage and Review All Privileges and Permissions
In that same campaign, the FBI also advises appropriately configuring access controls, including file, directory and network share permissions. Routinely reviewing employee privileges and permissions will ensure they only have access to the systems or networks they absolutely need. This significantly limits the potential access points available to cyber criminals. So even if an employee receives and opens the link or document in a phishing email, his lack of access to the larger network prevents that email from extensively damaging your institution.
Back Up Data Daily
In an article for Bankinfo Security, Engin Kirda, a computer science professor at Northwestern University, says ransomware “is a very simple attack that’s simple to prevent if you have good backups.” The problem, he says, is that most organizations don’t perform backups often enough. Financial institutions cannot afford to be in that category. Conducting comprehensive daily backups is crucial to mitigating the impact of a successful ransomware attack. If your institution can recover all data minus one day from its backups, it can resume normal operations faster and likely avoid the need to consider paying any ransom.
Segment Your Network
Just as investors diversify their portfolios to limit the risk from any one investment, financial institutions should segment their networks. Separating your network into distinct and specific zones is a cybersecurity best practice that helps protect against ransomware attacks. If a cyber attacker does gain access, proper network segmentation severely limits the ability of malware to proliferate beyond its initial entry point. Institutions also should take the necessary steps to ensure that their backups are secure and cannot be stricken by ransomware.
Invest in Social Engineering and Penetration Testing
In addition to bolstering employee education, policies and procedures, and mitigating controls in the fight against ransomware, the FFIEC offers this advice, “Conduct an exercise at the financial institution that simulates a cyber attack involving destructive malware.” Investing in such social engineering and penetration testing can validate what you’re doing right as well as uncover vulnerabilities that threaten your institution, whether they stem from human or technical flaws.
Keep Your Institution out of the Headlines
Social engineering works because its victims make easy marks for cyber criminals. While that was a significant threat before ransomware, complete control of your data and systems is now at extreme risk. This is an institutional problem that requires the engagement of everyone in your institution. The goal is to make social engineering much more difficult, so cyber criminals move on to an easier target.
Tyler Leet is director of Risk and Compliance Services for CSI Regulatory Compliance, a role in which he oversees the development and maintenance of the risk and compliance-related services that are conducted for a wide variety of financial institutions and organizations in other vertical markets.