In a recent dialogue with a subject matter expert in Cyber Security in a hospital setting, I asked Mike Meline, Principle Consultant and Owner of Cyber Self Defense and Director of Data Security at Kootenai Health, to share his thoughts on the best ways to address or mitigate risk in our present threat environment of ransomware. His recommendations are shared below:
“There are multiple ways, in my mind, to reasonably mitigate the risk without purchasing expensive products that may or may not work.
- Lock down your systems. By ensuring that your users have only the NECESSARY privileges to perform their duties, you limit the exposure to this danger. If all of your folders have the “everyone group” with read and write privileges, you will be dealing with a huge problem.
- Back-up all data that is important to you and keep the back-ups separated from the environment. This way, you can restore the data. You must also regularly test your back-ups and ensure they work. I also recommend backing up encryption keys separately; if you cannot open a back-up because the criminals encrypted your keys, you are still down.
- Train your staff. They should not be clicking on everything they receive; in fact, they should question everything. https://www.virustotal.com is a good place to help check an attachment or link. Your first line of defense MUST be your staff; if you train them well, they will help you to mitigate the risk.
- Risk Management; you MUST know and understand the risks your company is dealing with. Case in point; if I have 6 petabytes (a million gigabytes) of information, it can be difficult to manage a backup plan that includes everything. I need to determine what data is important to me and an acceptable cost for the management of a backup process and use that in my decision process. I also need to be careful of what I am backing up; a file share that allows access to most or all of my employees must be well vetted. If one or more of my employees add data to this location and it is infected, the act of restoring my data could reintroduce the malware. My risk assessment might help me to determine that I want to store backups from that part of the system to a different backup.
- If you are hit, have professionals come in and assist. Sometimes the ransomware has the key stored in RAM, other times it can be decrypted. A professional can, at a minimum, help you to appropriately respond and limit your exposure.
- NEVER pay the ransom; you are dealing with unscrupulous CRIMINALS. I have heard stories of people paying the ransom and never receiving the key, only more extortion. I have also heard of situations where users pay the ransom and receive the keys. a short time later, everything is encrypted again. While I would love to say that this is a one size fits all approach, I recognize that some companies have no other choice; they are in a place where they have to pay the ransom. Just remember that you are not dealing with people who think and act as you would.”
If you have any questions or your organization has dealt with this threat please feel free to share your story or message me on LinkedIn, I am happy to be a connection or resource.