The 150 country wide ransomware attack, known as WannaCry, which took down a number of organisations, including several NHS trusts, flooded the media last month. The ransomware attack – which involved cyber criminals gaining access to data and then encrypting it with a key known only to them – saw $300 worth of bitcoin being demanded from each affected user or organisation for the release of their data.
With countless headlines written about WannaCry and so many security solutions on the market, it is easy for IT teams to become overwhelmed. Enterprises are caught between the extremes of buying a one-size-fits-all solution – that doesn’t really fit all, to buying specialist solutions and patching them together to try and create the most robust security possible, yet potentially leaving gaps in the protection.
Critical to protection against attacks such as WannaCry is knowing what has been protected and with what solution – in this case, we’re discussing cloud and encryption.
The cloud factor
The cloud can be an effective way to back up data, systems and files in order to recover from a ransomware attack. It’s not quite as simple as this, however. For example, firstly, cybercriminals often encrypt files in remote repositories as well as physical ones. Secondly, while operating systems, applications and system files can be restored, data files are much harder to recover unless they’ve escaped the attackers in the first place or the ransom is paid (and even then an enterprise is still at the mercy of the attacker).
So, how do you keep files safe from attack? The versioning and recycle bin features of cloud applications are crucial to this, but are something which many file sharing / storage solutions fail to include. Through versioning, every revision of a document is stored, so you are able to go back and retrieve a previous version of the file, before the ransomware attack took place. With the recycle bin function, no matter who deletes the file – an attacker or a legitimate user – a copy will be kept.
Why does encryption matter?
One crucial thing the WannaCry attack shows is the power of cryptography, albeit in this situation for ill-intent. The cryptography is not only applied to hijack data, but also to ensure anonymity/verifiability of the bitcoin transaction in regards to the ransom payment. The message here is simple; if the perpetrators are using cryptography against you, why wouldn’t you use it to potentially keep attackers out in the first place? Although it won’t completely guarantee that attackers can’t hold corporate data up for ransom, it will certainly go some way to making this more difficult.
Encryption is also important in the aftermath of an attack. In a situation such as WannaCry, the ransomware attack was initially all about control and access to the data. Once this first phase is over, an attacker could utilise programs installed as part of the attack for a second wave of compromise – for example, data exfiltration to sell on the dark web.
Having a robust security infrastructure, with data-centric encryption combined with stringent access controls and strict policy requirements, means every time there is an access attempt to a specific piece of data, policy requirements must be met and access rights cleared before the data is decrypted. This ensures any malicious software that has been installed as part of the attack, creating a ‘backdoor’ to the system, actually has little value. Essentially, an enterprise will have protected itself from the inside out; by encrypting data at the heart of the business.
Ultimately, no single solution can keep an enterprise completely safe from a breach and, often, not even a whole host of solutions can keep it truly secure. As always, the devil is in the detail. Understand what you’re protecting and how stringent that protection is; this should include data-centric encryption and cloud services which utilise versioning and recycle bin features. It is also important to encourage best practice security techniques. Ensuring systems are up-to-date and patched appropriately is an absolute minimum requirement. Guiding employees on how to avoid the human error element of a successful cyber attack is very important – for example, educating them to treat emails with a security-savvy eye.
In the case of ransomware attacks like WannaCry, backup processes must be in place and at a comprehensive standard where strong access controls and collaboration features not only make the system secure, but effective in practice. After all, if the solution doesn’t work well for the business user, it simply won’t be used, putting the data and systems at greater risk of unsanctioned IT use and at risk of malicious attack.
Written by: Jeandre Sutil, Head of Security, Covata
This article appeared in Compare the Cloud
July 20, 2017