Among the many interesting discussions I heard at the Institute of Internal Auditors’ global conference this week, one particularly compelling session was about ransomware: how attackers try to foist it upon companies, and the internal controls you could implement to keep such attacks at bay. Since ransomware risk is going nowhere but up these days, I took detailed notes.
First, credit where credit is due. The session was led by Joe Shusko, principal in cybersecurity at advisory firm Baker Tilly; and Emily DiNardo, partner at Baker Tilly. They gave an excellent overview of how ransomware attackers approach a target and the practical steps audit and risk management teams can take to improve your defenses.
Just about everyone now knows what a ransomware attack is; but Shusko and DiNardo offered a detailed breakdown of how ransomware attacks happen. The attacks unfold in three stages:
- Gain entry into the company’s IT systems;
- Explore and observe those systems, to identify critical assets;
- Execute the attack itself against those valuable assets.
That all seems straightforward when you pause to think about it — and audit teams should think about it, because those three steps can also guide your risk assessment and internal control counter-strategy.
For example, if the attackers’ first goal is gaining access to your IT systems, then you need to assess how they might gain access to your systems. That means asking questions such as:
- How effective is your organization’s process for implementing patches to ERP software you use?
- How strong are your password policies? What about employee training against phishing attacks? (More than 90 percent of ransomware attacks begin with attackers guessing weak passwords or duping employees with a phishing attack, according to the U.S. Cybersecurity and Infrastructure Agency.)
- Do you use multi-factor authentication at appropriate points, such as anyone trying to log onto the corporate network from an external location?
Audit teams can chew over any one of the above issues for quite some time. We’ve written before about the risks of poor software patch management, and regulators have spoken often about the need for multi-factor authentication — especially if you’re a federal contractor dealing with sensitive data.
Once They’re Inside
Security and audit teams also need to ponder those later parts of a ransomware attack: observing the system to find critical IT assets and launching the attack itself. How would you implement steps to thwart those actions?
First, your security team should practice good IT asset management. That could include everything from keeping a current inventory of all assets (hardware equipment, software systems, webpages, databases), to managing those assets throughout their lifecycle.
For example, think of all the domain names your company uses. Not just public-facing domains like www.WhateverName.com; but internally used domains like “site.WhateverName.com” or “product.WhateverName.com” and so forth. Are all those pages used on a regular basis? Are any left ignored, where perhaps their security settings are out of date? Because attackers will prowl your online presence to find those moldy old domains and infiltrate from there.
You also need strong data and control mapping capabilities, to understand where your mission-critical systems and confidential data are. Only then can you implement whatever security controls might be appropriate for the data you have; and only then will you be able to understand which troves of data might have regulatory requirements for disclosure if you suffer a breach.
One interesting point from Shusko: ransomware attackers will often target your backups first, so that you (the victim) can’t simply revert to your backups when primary databases or systems are locked down.
So, again, audit teams need to ask the right, relevant questions here. What are the company’s backup procedures? How could we implement even tighter control, such as keeping backups off-line except for necessary updates? All of this (and more) is necessary to help get your company through the actual attack itself.
The Importance of Monitoring
We also can’t emphasize enough the importance of strong monitoring capabilities within your IT systems. Most of all, you’ll need an ability to understand how users on your IT systems typically work — so you can quickly identify when a supposed user (who is actually a ransomware attacker) starts behaving strangely.
For example, say a ransomware attacker gains entry to your IT systems through an old security flaw that was never patched. The first thing that attacker will do is create some sort of administrator or super-user account for himself, so he can move about the IT network or execute commands more freely.
So how effectively can your security systems identify such behavior? Can you detect when a user elevates his own privileges, such as an A/P clerk suddenly gaining power to access HR systems or to onboard a new vendor? Does the CISO get an alert every time a super-user account is created?
Monitoring user behavior is increasingly important as large corporations continue to rely on cloud-based technology providers and contract labor for ever more functions. More outsiders working within the perimeter of your extended enterprise means less visibility into exactly who the humans are in those interactions. That, in turn, means more importance for mapping roles to data access and transactions, so the IT security team can see when a user starts behaving in a way that makes no sense for the role assigned.
All in all, Shusko and DiNardo gave audit and internal control teams plenty to think about. Ransomware is a persistent threat, so it’s going to need persistent attention from the rest of us.