The Ever Increasing Threat of Ransomware
In January, it was Ohlone Community College District. In February, Centralia College and Pellissippi State Community College. These are just three of the colleges that have experienced highly disruptive ransomware attacks already in the first quarter of 2022. Attacks that disabled email systems, phones, student portals, and compromised sensitive information like student names, email addresses, identification numbers, and passwords.
Because of the large amount and type of data they possess, colleges and universities continue to be prime targets for ransomware attacks. Within 30 days in 2021, educational organizations were the target of more than 6.1 million malware attacks, while the second-most affected industry (business and professional services) had only seen 900,000 attacks. Unfortunately, ransomware attacks against higher education institutions have more than doubled since the onset of the COVID-19 pandemic.
Through a ransomware attack, hackers are typically trying to locate and encrypt the most valuable organizational data. Attackers will often target organizations that are conducting research where the data is highly confidential, or they could be looking for personally identifiable information, including social security numbers, addresses, and birthdates. Other ransomware attacks target specific data types or systems that, if taken down, can make it difficult, if not impossible, for an organization to function.
In the past many institutions may have falsely relied on cyber insurance to cover possible losses following a data breach. However, as the costs and rate of attacks have increased, so have the costs and requirements for obtaining cyber insurance coverage; some cyber insurance premiums increasing by as much as 400 percent. Growing pressure from public officials advising insurers not to facilitate ransomware payments has also led to more insurance policies now specifically prohibiting payments from being made.
During the application or policy renewal process, organizations have to be able to demonstrate they have a comprehensive security program in place, may be asked to address very complex questions about their institution’s information security practices, and forced to demonstrate adherence to strict security requirements. Multi-factor authentication, network segmentation, regular penetration testing, etc. are not just information security best practices anymore, but rather requirements for obtaining cyber insurance.
Rather than relying solely on insurance coverage or responding after your organization has been hit with a possible ransomware attack, security efforts and resources should be dedicated to proactively identifying exploitable vulnerabilities, identifying the early signs of an attack, and deploying preventative measures and technologies.
1) Prioritize identifying and patching software vulnerabilities.
Verify that all of your operating systems, applications, and software are up to date. Establish a defined process that ensures systems are updated regularly and the latest patches are installed automatically. Secure endpoint devices and close security gaps that may exist in non-standard configurations.
2) Monitor network traffic for suspicious activity.
Proactively detecting and responding to a potential attack is critical to minimizing the overall impact. A recent Splunk report revealed that a typical ransomware took only 42 minutes to complete, which is very fast and makes it almost impossible to stay in front of if you aren’t alerted to the suspicious activity until after your systems have been compromised.
3) Regularly test your back up and disaster recovery/incident response processes.
Test your backup processes and ensure you will be able to restore systems and data if needed. Your organization should also prepare for and facilitate a tabletop exercise to ensure everyone knows their individual responsibilities and who to contact during a cybersecurity incident. Involve senior leaders in the tabletop exercise so you can discuss high level decisions around risk tolerance, ransom payments, etc. prior to an actual attack, so these discussions don’t have to take up valuable time your teams need to be concentrating on managing and recovering from the incident. For more information on how to structure an Executive-Level exercise, visit https://www.campusguard.com/articles/cybersecurity-tabletop-exercises-for-leadership-teams.
4) Conduct routine risk/security assessments.
Conducting routine security and risk assessments can help inform your organization of identified risk levels and develop risk-tolerance and response plans. You can utilize industry security frameworks (i.e., NIST SP 800-171 or NIST Cybersecurity Framework) to see how well your organization aligns with the recommended controls and identify gaps in policies and processes. This can also help your organization identify the highest priority action items to decrease overall risk, and provide senior leaders, auditors, Boards, and regulators with a high-level overview of the organization’s cyber resilience and areas in need of improvement (i.e. allocation of more funding/resources).
5) Provide Awareness Training.
Did you know that the Colonial Pipeline attack stemmed from a compromised password? Phishing is the most used ransomware attack vector and is used to trick a user into sharing their credentials so the attacker gains unauthorized access to key systems. Tactics like asking a user to click on a fake attachment or link can automatically download ransomware to organizational systems. Once attackers have access to the organization’s network, they may then be able to pivot to other networks and systems.
Educating employees is always your organizations’ first line of defense. Awareness training should include best practices around email security, phishing, password security, etc., with an understanding of why each is important and the potential impact that can come from each. Staff should also be trained on when and how to report suspicious messages. Ongoing information sharing and education is important so that everyone remains vigilant and is prepared if/when an attack occurs.
6) Vulnerability Management/Penetration Testing
Regular vulnerability scanning and penetration testing will identify and test for security vulnerabilities, especially in any internet-facing systems. Routine penetration testing allows you to safely test the security of your organization’s systems against real-world threats that could impact your network security, identify vulnerabilities caused by operational weaknesses, outdated security policies, insecure settings, bad passwords, software bugs, configuration errors, etc., and provide steps for remediation. A pen test will flag areas of weakness – before a hacker finds and exploits them. This proactive test of the organization’s overall exposure helps to protect you from financial and reputational loss, as well as potentially devastating downtime.
Through penetration testing, your organization can effectively evaluate the security of internal and external networks and web applications, prioritize the associated risks, and understand the level of security that will be required to protect organizational data, people, and assets from attackers.
Ransomware continues to be a real threat and is top of mind for organizational executives and Boards this year. Help your organization to be better positioned to identify attacks before they occur!
Additional guidance from the CampusGuard Offensive Security Services team below:
[Campbell]: Most malicious actors are lazy -- they tend to target vulnerabilities that are easily to exploit. Therefore, by prioritizing the patching of your software you’re dramatically slowing
down most hackers.
Weak and stolen passwords are by far the most common way an attacker gets an initial foothold in a network. By deploying MFA across all services and forcing your users to use strong passwords will stop nearly all malicious actors entirely.