CISA Says: Ransomware is Here to Stay! 4 Easy Steps Hackers Don’t Want You to Know

Published by Scott Kannry

In an interview with the Washington Post this week, Director of the United States Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, discussed a number of recent high-profile cybersecurity news items, including the Facebook/Instagram/WhatsApp outage, the SolarWinds hack, election security, and the Federal Government’s general role in addressing well-planned cyber-attacks from foreign actors.  

This past summer, President Biden urged Russian President Vladimir Putin to take action against ransomware operations coming from Russia. However, Easterly’s statements reveal that ransomware is not showing any signs of slowing down; it remains a serious threat to national cybersecurity, especially for critical infrastructure. The damage caused by the Colonial Pipeline attack and then NEW Cooperative back up this assertion.   

No business, organization, or individual is immune to cybercrime. Every employee of an organization, from the CEO on down, is responsible for understanding “basic cyber hygiene steps” to protect themselves. When prompted by an audience member to identify what actions a business or government entity should take to secure its systems, the CISA Director listed, without hesitation:  update your software, have strong passwords (better yet, use a PAM tool), foster end-user awareness against phishing attacks, and Multi-Factor-Authentication (MFA). Here, we will explore the importance of these four cybersecurity measures and how they can be leveraged quickly and easily in your organization.  

Building Resilience – What can a business do to secure itself from attacks? 

Despite Biden’s warnings that the US will “take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge,” it appears that the Russian government hasn’t taken any meaningful steps in addressing ransomware hackers, Easterly noted. Ransomware hackers allegedly prefer to conduct their operations out of Russia because of its government’s laissez-faire approach. Russian law strategically allows attackers to conduct their business as usual, just so long as their targets are not domestic or allied with Russia.  

With the Russian government’s hands-off approach, hackers are left largely undisturbed, allowing them to thrive, teach, and learn. To some extent, the US government can help businesses with response and recovery, but Easterly’s interview emphasized that the CISA and other defense agencies wish to help build resilience first and foremost – this applies to all industries and company sizes. As we’ve noted, with ransomware, the question is not “Will my company experience a ransomware attack?” but rather “When will my company experience a ransomware attack?” 

1.  CISARecommends:  Software Updates 

Why are software updates important? Security updates protect your organization from data breaches. We are all probably guilty of hitting that “Remind Me Later” button when our phones suggest a software update. At a business level, backing up and updating your operating systems takes time, not to mention the additional time needed for updates required by applications running on that system, and it can be an easy thing to delay in favor of other projects. However, just like with your phone, delaying or ignoring software updates in your environment can present a huge threat to your cybersecurity. Software updates do more than give you access to enhancements and new features. They also address bugs and patch known security flaws, many of which go unnoticed by the average user. Bugs and security flaws are unavoidable with any product, so by ignoring software updates, you are inevitably exposing yourself to vulnerabilities. The Equifax breach is an example of an attack that could have been prevented with a simple software update.  

Keeping up with software updates can be simplified for your business needs. Easterly recommends scheduling automatic updates wherever possible because automation can simultaneously reduce security risks and increase convenience since it requires less human interaction in the future. In addition to staying on top of software updates, it’s important to remain aware of downloading fraudulent software updates and learn how to identify them. You should only install updates right from the manufacturer’s website.  

2.  CISA Recommends:  Culture of Cybersecurity Awareness

Think before you click! “Cyber[security] is a team sport and always has to be a team sport,” Easterly says. Your IT team can take measures to scan all emails and maintain endpoint detection software, but a culture of awareness at every level of your organization is your best defense against phishing attacks.  If everyone is responsible for understanding basic cybersecurity hygiene, business leaders can help by fostering a culture of cybersecurity awareness at all levels of the company.  

Employee security awareness training is a great starting point, with an emphasis on how to spot a phishing attempt. According to Verizon’s Data Breach Investigations Report, phishing attempts accounted for 70% of data breaches in 2018 and have unsurprisingly escalated during the COVID-19 pandemic. Terranova found, in a 2020 report, that 20% of employees will click on links from phishing emails, and of that 20%, a whopping 68% will actually provide their credentials when prompted, which is frightening considering it only takes ONE instance of bad judgment to compromise an entire system. Awareness is key to impeding phishing emails, which can potentially expose your organization to destructive malware or expose sensitive credentials, which are the easiest and quickest type of data to compromise. 

3.  CISA Recommends:  Strong Passwords

Or, better yet, password managers. As we saw with the unsuccessful Port of Houston attack, password management and Privileged Account Management (PAM) play a vital role in thwarting data breaches. This attack was swiftly contained because of the Port of Houston’s PAM solution, which not only acts as a vault to ensure credential complexity and security but can also be configured to do things like logging ALL authentication activity and keep a lookout for strange patterns in user and system activity.  

Password managers can also improve containment and recovery efforts in the event a breach does occur, allowing you to reset all passwords in the system automatically. 

4.  CISA Recommends:  Multi-Factor Authentication (MFA)

In addition to password complexity and management, multi-factor authentication is now a staple of cybersecurity best practices. It adds another level of security to your credential management plans. CISA recommends MFA “particularly for webmail, virtual private networks, and accounts that access critical systems.”  Remote Desktop Services need more protection now than ever, and for business users, MFA is an incredibly efficient way to add another layer of protection even if the user’s credentials have been compromised.  

Traditional MFA uses TOTP (one-time-password) and can be vulnerable to certain types of hacks because it uses shared information (your one-time code) to verify your identity. For that reason, at a business level, and especially for high-value systems that use hard keys, we suggest an easy-to-use solution like Yubikey by Yubico.  

Summary 

According to the CISA, the most common strategies attackers use to deploy ransomware attacks are software vulnerabilities, RDP attacks, and email phishing campaigns. While the Federal Government’s goal is currently to get department heads invested in their budgets and make sure they have the resources they need to modernize their environments, the preventative measures listed by Director Easterly are basic steps that all businesses and individuals can leverage.  

Axio has been at the forefront of solving cyber risk for many of the nation’s largest critical infrastructure operators, manufacturing, healthcare, and public-sector organizations, among others. We have also seen organizations in these sectors span the spectrum of cyber maturity. Your organizations cyber security strategy needs to evolve and adapt to new threat environments, and there are easy ways to continuously scan, inventory, and model your existing security state to better understand if your security investments and initiatives match the cyber risks that could cripple your business. Get started with Axio360 today to help your organization prepare and prevent a cyber catastrophe.