How to protect the company from ransomware and to restore data following a breach?

The datacentre is the castle. You can pull up the drawbridge, fill up the moat, or pull down the portcullis. But at some point you have to let data in and out, and this opens up the opportunity for ransomware attacks. No longer is it a matter of pride and peer recognition in the hacker community for circumnavigating and exposing the security of an organisation because it is now a fully-fledged industry in its own right with the use of ransomware.  That cybersecurity company Herjavec Group estimates to top a $1 Billon in 2016. In the past, those under siege used to flood the moats, pull up the drawbridges and drop the portcullis to protect themselves but with the modern data centre organisations life blood is the movement of data in and out of the datacentre.  

The question now is not just how can organisations protect themselves from ransomware, but also what are the best practices and policies for recovery in case they get through.  Data has to flow in and out and that opens up the route in for security breaches and the most profitable one is ransomware. So can it be prevented from ever occurring, and how can that be achieved? After all, as always, prevention is better than cure and the first line of defence has to involve firewalls, email virus scanners and other such devices. The problem is that the writers of the code of computer viruses are always one step ahead of the data security companies that offer solutions to protect their customers. This is because the industry tends to be reactive to new threats rather than proactive.

With so many devices connecting to the corporate network, including bring your own devices (BYOD), there will always be an attack that gets through, especially as many end users are not totally savvy with how viruses and other such scams can be attached to emails while masquerading as normal everyday files. A certain amount of end user education will help but there will be the one that gets through.  So to protect ourselves, organisations have to have back-up plans on policies to deal with the situation when it does happen because we can’t keep the drawbridge up forever. 

Is ransomware new?

So how long have ransomware attacks been around? Well excluding the viruses written by governments for subversion, we have always had viruses that hackers write for fun, notoriety, or to use as a robot in a denial of service attack. They may also use an email relay. With the coming of Bitcoin, where payments can be received anonymously and as you see from the Herjavec Group’s estimates it can be very lucrative while also being very costly to the organisations that are attacked. This is why companies should be creating their very own data castles, and they should only drop their drawbridges whenever it is absolutely safe or necessary to do so. Due diligence at all times is otherwise crucial. 

One of the key weapons against ransomware is the creation of air gaps between data and any back-ups.  A solid back-up system is the Achilles heel of any ransomware and it has been proven many times over, such as in the case of Papworth Hospital. However, with the ever increasing sophistication of ransomware and the use of online back-up devices, it won’t be long before it turns its attention to those devices as well. It’s therefore important to have back-up devices and media that have an air gap between themselves and the corporate storage network. This is going to be crucial in the future.  When you think about it, there is a lot of money at stake here on both sides if ransomware becomes back-up aware. So it’s important to think and plan ahead, and it’s perhaps a good idea to make back-ups appear less visible to any ransomware that might be programmed to attack them. 

Disaster recovery

So what is the most effective way to recover from an attack? Any and every back-up strategy should be based around the recovery strategy for the organisation. Once the offending programs, and all its copies are removed.  Obviously, the key systems should be recovered first, but this will depend on the range and depth of the attack. One of the things that is easily overlooked in a recovery plan is the ability to reload the recovery software with standard operating system tools – it is something that is often overlooked in recovery scenario tests. 

The key is to have a back-up plan. In the future that ransomware will, rather than blasting its way through the file systems, work silently in the background encrypting files over a period of time so that these files become a part of the back-up data sets. It is therefore important to maintain generations of data sets, not only locally but offsite in a secure location. Remember the old storage adage that your data is not secure until you have it in 3 places and in 3 copies. 

I’d also recommend the following top 5 tips for protecting your organisation against ransomware:

  • Educate your end-users to make them more aware of the implications of ransomware and how it is distributed.
  • Ensure that you deploy an up-to-date firewall and email scanners.
  • Air gap your back-ups and archives from the corporate network.
  • Maintain good generation controls for back-ups.
  • Remember that back-up is all about recovery; it’s better to prevent the need to recover by planning ahead for disasters such as a ransomware attack to maintain business continuity.

These principles don’t change for enterprises that are based in the cloud. Whilst the cloud provides some resilience through the economies of scale that many could not afford in their own data centre, one should not assume that the data is any more secure in the cloud than in your own data centre.  Back-up policies for offsite back-ups and archive should still be implemented. 

Inflight defence

But how can you prevent an attack while data is inflight? Whilst we have not seen this type of attack yet, it is always a strong recommendation that data inflight is encrypted preferably with your own keys before it hits your firewall. However, as many companies use WAN optimisation to improve their performance over WAN networks transporting encrypted files means little or no optimisation is possible. This can affect those all-important offsite DR, backup and archive transfers.  Products such as PORTrockIT can, however, enable organisations to protect their data while mitigating the effects of data and network latency. Solutions like this can enable you to build and maintain your data castle. 

David Trossell, CEO and CTO of Bridgeworks.
Image source: Shutterstock/Carlos Amarillo