Page 74 - Cyber Defense Magazine for August 2020
P. 74
Let’s look at how the ransomware threat, enterprise vulnerability to this threat, and the threat’s impact
combine to move it to the top of your BC/DR risk matrix. Finally, we’ll recommend action you must take
to minimize ransomware’s impact to your organization.
The shape of historic disaster recovery plans
Most historic disaster threats share one characteristic: they can be mitigated with physical or logical
distribution or redundancy. East coast data center threatened with a hurricane? Ensure you have a
redundant data center in the central US. Worried about power loss? Install a backup UPS for fault
tolerance.
Insider logical disasters can be more difficult to recover from than physical disasters, as corruption can
spread via the same mechanisms that provide your systems their fault tolerance. But the history of such
incidents has shown that these occurrences are relatively rare, companies have mitigating controls in
place, and the incident’s damage is usually limited.
The DoA threat
In contrast, the threat of cyber disaster has come to dominate all other threats due to its frequency and
massive impact. Wipers like NotPetya, Shamoon, Destover and ransomware such as Petya, WannaCry,
and LockerGoga have crippled organizations large and small around the world, encrypting some or all of
their IT infrastructure within minutes or hours of a single computer’s infection and sending them back to
manual operations until (or if) they can recover their systems.
Originating as broadly distributed campaigns, ransomware attacks have evolved into highly targeted and
i
extremely damaging network-wide infections. Cybersecurity Ventures predicts that ransomware
ii
damages will cost the world $20 billion by 2021 . In addition to large enterprises, state and local
governments have also become targets: 53 were reported in 2018, and at least 70 in 2019 including
iii
Baltimore and Atlanta .
The enterprise vulnerability
Organizations of all sizes are highly vulnerable to ransomware attacks. Phishing, especially targeted
(spear) phishing, remains an extremely effective infection vector because it plays on human nature.
iv
Microsoft has stated that phishing maintains an approximately 15% success rate regardless of education
programs – even among its own employees.
There’s also critical vulnerability well understood by IT professionals that has less awareness up the
management chain. Microsoft’s Active Directory - the distributed security system that controls user
authentication and systems authorization in well over 90% of the world’s medium and large organizations
– is devilishly hard to restore. Because of this, only a small percentage of companies have a
comprehensive, regularly tested AD recovery plan. (Look your AD admin in the eye and ask.)
Why, after a product lifetime of almost 20 years, do IT departments not have the same level of recovery
plan for AD as they would for a critical file server? Mainly because AD is very robust to both physical
domain controller failures and logical failures. But it was designed in the late 90’s when no one could
conceive of malware that encrypts every single domain controller within minutes.
Cyber Defense eMagazine – August 2020 Edition 74
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.