ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Ransomware: Why Are Organizations Still So Vulnerable?

Ransomware: Why Are Organizations Still So Vulnerable?

Rob Clyde, CISM, Board Director, ISACA, Executive Chair of the Board of Directors at White Cloud Security
| Posted at 3:09 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (2)

Ransomware attacks are not new. In fact, ISACA has been sounding the alarm on the increasing spate of ransomware for quite a while. Unfortunately, it takes a massive-scale cyber attack like the recent WannaCry incident for such cyber crimes to gain national and international notoriety. In fact, another recent ransomware attack that caught the public’s attention in the U.S. came when San Francisco’s transportation department was hit last November, impacting the city’s light rail transit system.

There is a reason why ransomware attacks are becoming popular: For the bad guys, it simplifies the crime and the process of monetization.

Think about it. Earlier, even a simple computer crime involved two steps to get to monetization. First, the criminals have to break in and steal personal information like credit card details, and then secondly, sell it on the dark web, often to organized crime groups, in order to get paid. The buyers in turn use the credit card or other information to commit fraudulent transactions.

With ransomware, crime has become an easy, one-step monetization process. Attackers break in to a computer system, install ransomware and get the payment directly from the person or organization impacted. It’s a one-to-one interaction, and payment is easily received. While accepting ransomware payment in bitcoins may seem a bit more challenging than accepting a credit card payment, anonymity is crucial to cybercriminals, making it well worth the modest additional effort.

But even with increased awareness on cyber attacks and the heightened need for cyber security, the question remains: why are organizations still so vulnerable? And what can they do about it?

• Whitelisting: Sometimes a ransomware attack can start off with a phishing episode where someone within an organization downloads and runs a malicious executable. Once that happens, the company’s end-point security products (typically an antivirus software solution) is often not enough to detect the attack. That’s why organizations like ISACA, US-CERT and the National Association of Corporate Directors (NACD) also recommend implementing whitelisting or application control – a process by which an organization runs only “known good applications.”

In the past, whitelisting has been hard to manage and maintain. For example, when a company implements the whitelisting approach, every person and device in the company will run only known good code. But the problems arose in keeping the lists up to date, such as when an executive had to run an application like WebEx or GotoMeeting. When the application ran and automatically installed a new version of the solution, the executive would be prevented from launching it, until it was entered into the whitelist. The lack of productivity with old versions of whitelisting solutions spelled doom for that approach.

However, in the last year or so, the next generation of whitelisting solutions have hit the market, and they are far superior to the old ones. Newer solutions can trust entire families of software and pull the latest whitelists, making the process of managing “known good software” more intuitive and convenient for IT departments. So, it’s critical for organizations that earlier discarded the whitelisting approach to revisit that consideration again, especially in the face of increasing ransomware attacks.

• Patching: Keeping systems patched and up to date is important, but it is not a panacea since spear phishing attacks can still trick victims into installing ransomware.

 Backups: Maintaining a good backup helps organizations navigate the waters of a ransomware attack far more deftly. For example, when San Francisco’s transportation system was hit last fall, the city refused to pay hackers the $70,000 ransom that was being demanded. Instead, it took a few days to painstakingly restore backups and during that time, the city let the residents ride in the transit system for free.

Interestingly, we are also seeing the emergence of quirky trends among ransomware criminals. These hackers are increasingly adopting best practices to close ransom transactions quickly, as the ransom demands are often not too high compared to the time and effort it would take to restore the backup.

So, to motivate the victim to pay the ransom, ransomware attackers are:

  • Offering discounts if the ransom is paid within a set number of days
  • Adopting a “try before you buy” approach, where the affected party can ask for a specific file to verify the veracity of the hacker’s claims
  • Offering technical “chat” support after the ransom has been paid to assist the victim in recovering files

But despite these best practice claims by cybercriminals, organizations that have become victim to ransomware attacks need to make sure a thorough cleanup process is executed as part of the incident response – perhaps even scrubbing and restoring the entire system and network – to make sure the attackers are no longer there.

Comments

Ransomware: Why Are Organizations Still So Vulnerable?

 The  points are covered really well sir.   White listing solutions, patch updates and regular backups of the critical data are the key to combat the menace of  ransom ware .  However, the point to keep in mind is that the backup preferably should be kept  offline as having online backup may also pose the same risk of getting encrypted by ransom ware attack.

Further, employee awareness about the basic safety practices can reduce the vulnerability of the organisation to such attacks  to a great extant.

Regards

R S Wadhawa

RAJENDRA921 at 5/22/2017 5:33 AM

IT Audit & Ransom Risk

They are some important points About IT Auditor job & IT Auditor efficiency: while we are making some analysis about the ransom viruses as a zero day application ...the virus get it`s job when the user make a click on a link  or downloading an effected file ..major of this happens by a receiving an email (that`s number one)

some of the zero day exploit a vulnerability which have been already known & some of them have been healed by the vendor (that`s number 2)

the most affected organizations may pay a lot of money for the security systems but the big concern that they don`t give The IT Audit the enough importance

the frist point treatment is the security awareness program which must be assessed & tested  by the IT Auditor


the second point related to the Change management control which must assessed & tested  by the IT Auditor

- part of the point number 2 about the cooperation between IT Auditor & CISO to find the most efficient compensation control for the not fixed vulnerability>>....

we hear many reports about this risk but to be honest the IT Auditor job have many challenges , one of them that organisations may not separate between IT Auditor & other Internal Auditors

Thanks So MUCH

Mostafa Alseidy ,CISA
braistorm@gmail.com      
Mustafa alsaedy at 5/24/2017 3:01 AM
You must be logged in and a member to post a comment to this blog.
Email