Security Fridays: Week ElevenChris Cassell 28/05/2020, Industry News
How to protect your data against increasing cyber threats
This recent breach really helps to emphasise that threats are constantly evolving, a landscape that needs to be given credit where credit is due. Some still see them as groups of spotty youths sitting at home coding malicious little things for fun and we sometimes still treat them that way. Hopefully this sort of attack reminds us that in many ways the threat actors are at least as capable as many security vendors and as a community, in some ways they are much better interconnected.
Here we have a group that in sixteen months earnt a great deal of money. I’ll take their claim of $2 billion dollars with a pinch of salt, as they have a product they want to market, but it’s fair to say they have made considerable amounts. Then they have either gone away and re-invested their money in a new attack, or sold off their code and rights to someone else for even more money.
To put this in context, McAfee posts around $2.5 billion turnover itself. So this should reflect just how much value there is in this marketplace for criminals and just how seriously we should be taking it. This situation also poses a few questions about security that should be asked in these situations. How was it that anyone was able to access that much data without being detected?
We often get caught up in the latest and greatest security tools and the idea that we need the most advanced threat protection to have a chance against these sorts of advanced capabilities, but there’s an argument about going back to base principles. Effectively all attacks need to do certain things to have an effect. It’s always a good idea to look at ways to include these in your security model.
So for example:
1 – Ransomware or thieves have to actually access files to encrypt or steal them. So what accounts have permissions to access data? No single account should ever have the option of touching all the sensitive data in a business. Not even administrators should have the capability of touching all data across estate. This removes the easy way for an attacker to access everything.
2 – Access to data should also be monitored, it is a detectable interaction so questions should be asked in this case as to how any account or devices was able to access this amount of data without being detected. Over 700 GB of data affected and infiltrated without it being noticed at the data storage or perimeter level suggests there is an intrinsic problem with data monitoring that should maybe be looked in to.
3 – Data you don’t hold can’t be breached. Did all that data really need to be held in easily accessible storage? Could some of it have been moved to offline archives? Did they have a data lifecycle plan where old data that is no longer needed is either archived or destroyed? An organisation should constantly be looking at what they are holding, why, and when that data should be removed. By removing what you no longer have need for and keeping a tight control on what you store, you reduce risk and liability if the worst does occur.
Read the article that was analysed here: https://threatpost.com/revil-ransomware-attack-celeb-law-firm/155676/