Another night at the information security museum

Last year, in “Night at the information security museum,” I noted that there’s a lot information security professionals can learn from museum heists. I wrote of the Isabella Stewart Gardner museum heist of 1990 which saw $500 million worth of art vanish, to which it has never been found. For the last 28 years, visitors to the Gardner museum can no longer see such masterpieces as The Concert, one of only 34 known works by Vermeer. Or The Storm on the Sea of Galilee, Rembrandt’s only known seascape, and others.

A new project called Hacking the Heist uses augmented reality to virtually return these stolen pieces. The project has digitally placed the stolen art pieces back in their frames. They use Apple ARKit, which is a set of software development tools developers can use to build augmented-reality apps for iOS, to create a virtual replacement is a backup of sorts. It’s certainly no full replacement, but the best that can be done in the interim.

What does this have to do with information security? First, the museum has a bounty reward of $10 million for information leading to the recovery of the stolen works. Secondly, the augmented reality is a backup, albeit an imperfect one. For most people who are not art enthusiasts or experts, this is good enough. But when it comes to data, an exact backup is needed.

The recent ransomware attack which shut down the city of Atlanta’s online systems for over a week was an exploit against the lack of real-time backups. It meant that residents couldn’t pay their bill or parking tickets. Police had to write their reports by hand. And court proceedings had to be canceled. Court dates had to be rescheduled and all applications for city jobs were suspended. If there was a silver lining, 911, police, and fire/rescue were unaffected, as was Hartsfield Jackson International Airport.

Atlanta Mayor Keisha Lance Bottoms said that the attack on the City of Atlanta was an attack against all of its citizens. The truth be told, the attackers could care less about the citizens of Atlanta. Their aims were simple – show them the Bitcoins. If anything, it was an attack against the network and security administrators, and the city of Atlanta CISO and CIO, and not Atlanta citizens. To that, the lack of backups meant that the city had no leverage against the attackers.

Don’t be a desperate organization

Chris Sherman and John Kindervag write in Ransomware Protection Best Practices that ransomware uses desperation as a primary means of influence. Individuals are desperate to regain access to critical systems and will do anything they can to get their data back. That desperation often means paying a ransom.

But even for those that decide not to pay the ransom and try other avenues for recovery, or even recovery to an older backup; the costs can still be significant. Case in point from this week, where the City of Atlanta, while not paying a penny in ransom, is nonetheless projected to spend at least $2.6 million on ransomware recovery from their recent incident.

A few weeks ago, Atlanta was a victim of the SamSam ransomware, which exploits a Java vulnerability. The attackers set a ransom of about $50,000 in bitcoin, which the city decided not to pay. Yet had the City of Atlanta followed the basic security best practice of patching, they likely could have avoided becoming a victim.

The sorry state of information security is that in 2018, far too many firms don’t have formal patch management systems in place. They are running many different types of vulnerable software that almost beg to be exploited.

And it’s important to note that patch management does not apply just to the Windows and Linux operating systems. Any piece of software that can be updated, most likely should be updated. This includes Java, Flash, Silverlight, Oracle, Acrobat and more.

Avoiding ransomware is possible

Even if a firm can recover without paying the ransom, it is still expensive in terms of lost time, external consultants, negative publicity and more. The beauty of an effective ransomware mitigation plan is that it does not require any fancy expensive information security appliance. In fact, using technology from 1998 could mitigate it.

The answer is that with proper backups in place, you can virtually eliminate the attacker’s ability to hold your data hostage. In fact, ransomware authors rely on the fact that firms have feeble data backup processes. Because if every enterprise had effective backups, ransomware authors could not make a profit.

To that, the following steps should be considered as part of a program to ensure your firm does not become a ransomware victim:

• Frequent backups. Ransomware only works because enterprises don’t have recent backups. What frequent differs significantly between industries and organizations. A large airline may be able to tolerate no more 15 seconds of lost data. Your local chiropractor might be able to tolerate up to a week of lost data.
• Check backups for malware. Just because you have a backup doesn’t mean it’s clean of ransomware. Make sure that the backup process includes scanning for malware.
• Get the CISO involved. Your CISO should develop visibility into backup processes. While information security is often called in to help in the ransomware cleanup process; it should also be involved earlier in the lifecycle to ensure backups are done in a secure manner.
• Redundant copies. Ensure you have redundant copies of your backups. At a minimum have 3. And make sure that one of those copies is stored offline.
• Test backups. A backup is only fully completed when the data can be resorted. Ensure frequent testing is an integral part of the backup process.

You don’t have to be a ransomware victim

Ransomware is on the rise. It’s easy and effective for the attackers. The chances of it going away in the near future is unlikely. What that means is that firms need to put fundamental information security processes in place to ensure they don’t become ransomware victims. It’s not that difficult, people.