Ransomware could be less of a threat if infosec pros were more disciplined, a panel of experts told a virtual cybersecurity conference.
“We should focus on the vulnerabilities that are used by ransomware and shrink their attack surface,” Srinivas Mukkamala, senior vice-president of cybersecurity products at Ivanti, an asset management provider, said Wednesday during a panel on ransomware on the first day of the two-day Data Connectors Canada East Virtual Cybersecurity conference.
While there are 2,000 vulnerabilities in information systems, internal controls, or system processes that can be exploited by cybercriminals, he said, fewer than 300 are being used by ransomware families.
“This is a solvable problem if you know what 300 vulnerabilities you have to go after and you have exposure to,” he concluded.
In other words, he said, infosec pros need to evaluate the risks particular to their organizations.
“We are still doing a lot of unproductive things,” agreed Ray Boisvert, an associate partner for security strategy at IBM Canada. “We’re failing to fix things fast. We are not being as nimble as the adversaries are. We’re trying to secure everything as opposed to being more strategic in terms of what we protect.”
The biggest problem, argued Andy Stone, CTO for Americas at Pure Storage, is basic cyber hygiene. Infosec leaders don’t understand what in their environment has to be protected.
“Nobody in IT wants to do hygiene,” he added. “If you ask for volunteers to do the hygiene program, people will run from the room. But it’s absolutely critical to solving this problem.”
Detection, speed of recovery should be priorities
“This is not going to be an easy solution,” admitted Boisvert, who called ransomware “a globalized, syndicated industry,”
But, he added, infosec teams aren’t doing a good job of detecting intrusions. That, he said, should be a priority because the dwell time of attackers on networks is still high.
He emphasized the need for risk management, which, he added, means decisions being made at the senior management and board levels.
Another priority, Stone said, should be recovery time after a successful breach. While many experts talk about the necessity of having backups as a defence for any hack, including ransomware, “backups don’t really matter that much. What matters is speed to recovery.”
CEOs don’t care about the type of backup or where it is stored, he pointed out. They want to know how fast the business will be back online. So infosec pros must think about application tiering: What applications are the most important to recover, and in what order? And how will it be done quickly?
Stress basic hygiene
Stone also argued that there are three places an organization can defend itself: Before, during and after the attack. But in his opinion CISOs should first focus on stopping and detecting a ransomware attack.
That means putting resources into basic cyber hygiene – including understanding the environment, measuring the efficiency of awareness training and table top exercise programs, and having a good program that tracks log data.
The second priority, he argued, should be recovering after an attack.
Mukkamala argued infosec teams need to be proactive by knowing which vulnerabilities in their organization might be targeted by ransomware. This is separate, he added, from threat intelligence.
Many wrongly think fighting ransomware is only about patching software bugs, Mukkamala added. But, he argued, many ransomware attacks also take advantage of hardware and software misconfigurations and coding errors.
Threat actors are moving up the infrastructure stack, he said, noting recent attacks are going after remote access services and the cloud application layer.
“The biggest challenge I see,” said Stone, “is there’s a big gap between the guys and gals with their hands on the keyboard doing security work day to day, and what senior leadership and board understand is going on.”
The board “has the impression …they are protected” because someone has told them they are protected against ransomware, he claimed. “But the reality is this game changes every day you have to continue to invest in this space, to put resources behind it – and you (infosec leaders) have to be transparent with your messages upstream so these folks understand.”