Many organizations are adopting cybersecurity based on the NIST cybersecurity framework, now a globally recognized standard for helping counter new and emerging cyber threats. More recently, the NIST published a new draft on protecting against ransomware, which serves to complement the CSF. The addition to the framework features the ransomware profile, which is intended to help organizations determine their state of readiness in tackling cyber extortion.
What is ransomware?
While ransomware headlines are no longer making the headlines as much as they were a few years back, the threat remains. Many ransomware groups operating out of the dark web have disbanded, but that does not mean the threat has gone away. In fact, ransomware, much like any other cyberthreat category, has evolved too.
Earlier ransomware attacks were relatively simple. The victim would unwittingly download a malicious file, typically after being targeted by a social engineering scam. Upon opening the file, the entire contents of their hard drive would be encrypted, and the computer would reset to display a ransom message.
Today, ransomware attacks might not be as common as they were a few years ago, but those that persist are often more dangerous. The latest trend is the rise of double extortion attacks, in which malicious actors exfiltrate the data before encrypting it. In these cases, the ransom messages not only threaten to keep your data encrypted if you fail to pay the ransom – they also threaten to release it on the dark web forums for the world to see.
Needless to say, these double extortion tactics are extremely dangerous. Given that virtually all businesses are in the habit of regularly backing up and isolating their sensitive data, they are usually able to restore affected systems quickly with minimal lasting damage. However, if sensitive data has also been stolen, the motivation to pay the ransom is much higher.
What are the NIST cybersecurity framework recommended controls?
The usual assumption holds that ransomware can easily be countered by antivirus software, but that is often not the case due to the continuing rise of new variants. Furthermore, these attacks are often carried out in conjunction with highly targeted social engineering scams like business email compromise (BEC) attacks. Many can bypass regular security controls, which is why the NIST Cybersecurity Framework recommended controls go much further.
Antivirus software should be used at all times and updated automatically. The software should be set to automatically scan email attachments and external media. That being said, a lot of ransomware exploits vulnerabilities in outdated or unsupported operating systems, which is why, for example, no business should be using the now unsupported Windows 7. Keeping all computers and firmware fully patched will help reduce the risk.
The risks of ransomware attacks are even greater now that so many people are working from home and using their own devices for work. This is why organizations need to implement strict policies governing the use of third-party apps. Ideally, no sensitive company data should be stored on employee-owned devices in the first place. Instead, they should serve as nothing more than access points to company apps and data hosted in the cloud, rather than on local devices. That way, administrators can restrict access by using standard user accounts without administrative privileges while also maintaining full visibility into their data.
Another important control area that the NIST Cybersecurity Framework addresses is security awareness training. Ransomware can target anyone, with remote workers being among the most common targets. This is why everyone on the team should undergo regular awareness training so that they understand the risks and how they are spread.
Finally, the latest documentation also provides actionable steps that organizations can take to recover from a ransomware attack. This covers incident recovery planning, communications, and backup and restore.
The new ransomware profile is meant for general audiences, including organizations that have already implemented the broader NIST Cybersecurity Framework. However, applying all the controls and policies can be prohibitively costly for smaller businesses hoping to do everything in-house. This is why finding a dependable technology and security partner is essential for achieving the same level of protection as big enterprises can enjoy.
Charles IT provides the full range of services that businesses need to become fully compliant with the NIST Cybersecurity Framework. Get in touch today to schedule your first consultation!