Four ways to uplevel visibility into your potential attack surface
Ransomware (everyone’s least favorite software) is entering a new phase. As the world drags itself out of the Covid swamp, we are now met with a new challenge, state-sponsored Ransomware-as-a-Service. This is an actual business model where “affiliates” pay to launch ransomware attacks developed by operators. You can literally buy kits to get started, complete with forums, users reviews, support, etc. The scary part is that something clearly illegal is being rapidly infrastructured to go after pretty much anyone or anything, in effect expanding the market for opportunists who are too stupid or lazy to figure this out on their own.
Who does this potentially affect? Anyone (or any company) using a computer or phone. Which is a number probably north of five billion people and hundreds of thousands of businesses globally. Pretty much everyone everywhere is at risk of getting hit at some point. Attacks are becoming increasingly sophisticated and harder to spot, even by people who know what to look for. What can businesses do to mitigate the risk? There are multiple approaches, but the four key things to focus on now are:
Visibility. You have to know who has what where, and not as of a week ago. As of pretty much right now. Your visibility into your IT inventory as it moves through its lifecycle has to be comprehensive and integrated. Hardware, software, endpoints in the wild, cloud instances, even IoT devices all need to be tracked, managed, and secured. If it’s on your network, it’s a potential entry point. You also need to correlate. Software only exists on hardware, and you need both to get on the cloud, and a user is the key driving force. Keep track of everything, particularly things that are moving around, and who is moving them around. This requires the automated management of technology across the enterprise at scale, and there is a very effective solution for that.
Access control. Who is allowed to do what, and who says they can? This is particularly relevant if you have employees in countries where local government interests may not necessarily align with yours (Belarus), or everything is going to hell in a handbasket (Ukraine). You should not assume all employees are precisely aligned with your security protocols, or even that they’re all pivoting off the same source of truth. This is not to say don’t trust your employees, it means you very likely do not have the level of control of your human resources that you think you do. Keeping access control mechanisms updated and tight is critical, particularly now. Your organization needs to be structured with different levels of internal trust (assuming a baseline of zero trust externally); this is another excellent example of where Enterprise Technology Management can provide the needed visibility and controls to stay ahead of a rapidly shifting dynamic.
Protocols. Implement stringent security protocols now, and make sure your CISO is a hardass about it. We are well past the point of coddling, the downside curve is getting deeper and steeper, particularly in a post-invasion environment. We are all being warned at the top of the government’s lungs that we need to be on our toes. This starts with overly stringent security measures. You literally cannot be too careful or paranoid. Build a culture of security in your organization, and do it now.
Backup, backup, backup. Assuming you do get hacked/ransomed, your cushion is the last time you backed up your data. Once a week? D’Oh! Everyday? Tedious but manageable. Or choose continuous data backup - more work but your downside is as small as they get. Also keep your backup offline, for obvious reasons. Whatever your backup protocol is, it needs to be automated and scheduled, and it is critical that everyone adheres to it.
While this new reality is tedious and unpleasant, approaching this challenge strategically and holistically can turn something that would have been a massively disruptive public faceplant into a non-event. Is it difficult and tedious to gain visibility, insight, and control over your IT estate? Surprisingly the answer is not really. It’s definitely complicated but also straightforward, and once you get the process of Enterprise Technology Management in place, it's also automated, which means it scales effortlessly and runs at machine speed.