By Leslie Weinstein, HITRUST Solutions Director
What Is a Ransomware Attack?
The Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as “a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.”1 The malicious cyber actor will then demand an amount of money to be paid before providing the decryption key; however, paying a ransom does not always guarantee that the files will be decrypted and the functionality of the data restored, nor does it remove the obligation of breach notifications. The loss of critical data can grind company operations to a complete halt, leading to a loss of revenue and a loss of trust among customers. Suffering total operational shutdown due to a ransomware attack is not inevitable, though! Establishing a robust information security program can drastically reduce the likelihood of a ransomware incident and can significantly reduce the impact of an attack, should one occur.
What Causes a Ransomware Attack?
Ransomware incidents happen when security controls fail or are not implemented correctly. The magnitude of the impact is usually related to the failure of additional controls. Based on the available public information, the Colonial Pipeline Co. ransomware attack caused a six-day shutdown of a 5,500-mile pipeline, leading to a panic-induced gas shortage, when Russian hackers entered Colonial’s business network using a compromised password on an out-of-use virtual private network (VPN) which lacked multi-factor authentication. While the pipeline itself is not part of the network that was compromised, Colonial took it offline as a precaution to prevent the spread of the attack because they were unsure about the network segmentation between their IT and OT (operational) networks.
What Could Have Prevented the Ransomware Attack?
Requiring multi-factor authentication on the VPN and throughout its business system could have prevented the Colonial Pipeline ransomware attack in this instance. A robust network segmentation between the business IT system and OT pipeline network would have also limited the ability of adversaries to pivot to the OT network, even if the IT network was compromised. This type of network segmentation could have prevented the need to shut down the entire pipeline when the IT system was compromised.
Protecting against and recovering from a ransomware incident is more than buying the latest cybersecurity technology and writing policies that sit on a shelf. It requires establishing a robust information security program, which includes determining which security controls should be in place to mitigate an organization’s information risk to an acceptable level while ensuring it also meets compliance requirements. An organization’s information security program is the risk mitigation strategy for its systems.
How Do I Know if My Company Is Appropriately Managing the Risk of a Ransomware Attack?
An effective information security program requires companies to confirm the appropriate controls have been implemented correctly and to verify their operation and effectiveness. The security controls need to be configured properly and tested to ensure that they are achieving the desired security effect. There should also be a high level of confidence in the validation and testing of control effectiveness to provide assurances to both internal and external stakeholders that the program is effective. Assessments and tests should be performed using a defined assurance methodology and by a qualified practitioner who has knowledge of the control requirements. The documentation of this validation and testing process should be consistent to provide transparency and oversight of the process. Consistent documentation also ensures accuracy of the process and can provide a consistent output, which may be used widely to provide assurances to stakeholders. Without this level of rigor in an assessment, there is no confidence or confirmation that the organization has the controls in place to effectively mitigate its risks.
How Do I Get Started Evaluating My Organization’s Information Risk?
HITRUST is the industry leader in information risk management and assurance. HITRUST has developed an approach to providing security program assurances that incorporates all the necessary components to provide an organization with the needed confidence that its security controls are operating effectively and prepared for a ransomware incident. The HITRUST Approach incorporates a comprehensive controls framework, threat catalogue, third-party assessments, and an assessment platform. A HITRUST Assessment is the gold standard for assurance reporting and provides organizations with the reliability they are demanding in these times of escalating cyber risk.