How Network Segmentation Can Help Entrepreneurs Manage Ransomware Risks
A few months ago, our kids’ school district, one of the largest in South Carolina, was hit with a virus that spread "ransomware," a malicious software designed to block computer systems by encrypting the data in which the attackers gain access. Unlike other types of malware that attempt to steal data, ransomware is unique in that it simply blocks access to systems or files until a ransom is paid.
Networks typically become compromised because of poor cyber security practices and “phishing” scams, where an attacker tricks a user into opening a phishing email and visiting a phishing website. Once done, the user unknowingly downloads a piece of malware software, and the attacker expands from there to explore resources and, in enterprises, may attempt to move laterally to explore the network and encrypt shared and network drives.
Eventually, our school district capitulated to the demands of the attackers and paid the ransom demands of $10,000, and all data was returned and restored -- albeit with a heightened sense of security and importance. Our school district got off cheap compared to other organizations, however, such as a New Jersey school district that recently had its network system infected with ransomware with the demand of $124,000 in Bitcoins.
I can tell you with a high level of certainty that my high school grades were never worth that much.
According to numerous industry reports, ransomware attacks are becoming more common every day, doubling in number between 2014 and 2015 according the Symantec Internet Threat Report. And the trend is expected to continue for the foreseeable future, and moreover, authorities have no solid strategy for stopping them. In fact, currently the FBI recommends companies to pay the ransom if they ever want their data restored.
The future in this regard does not look bright when the FBI throws its arms up in defeat.
Making the matter worse is the evolving sophistication in these attacks, as a new and emerging innovation called "ransomware-as-a-service" (RaaS) starts to take root. According to Business Insider, "(RaaS) is a variant of ransomware designed to be user-friendly and... deployed by anyone with little cyber know-how. These agents simply download the virus either for free or a nominal fee, set a ransom and payment deadline and attempt to trick someone into infecting his or her computer. If the victim pays up, the original software author gets a cut -- around five to 20 percent -- and the rest goes to the party who deployed the attack (called the 'script kiddie').”
In January 2016, researchers identified a new RaaS called Ransomware32, complete with a user-friendly dashboard to track income statistics and manage individual attacks while also removing most of the the upfront costs and technical barriers. This kind of RaaS trend is making ransomware accessible to the least technical hackers.
As terrible as RaaS sounds, it still sounds better than multi-level marketing.
Unfortunately, many enterprise IT teams focus on efficient management of networks and privileges rather than designing networks that can contain the damage of a breach or ransomware attack. And while any technique an enterprise uses to avoid phishing scams will help avoid getting ransomware, there is no way to guarantee that an enterprise can avoid infection altogether.
WEI is one company that has been studying the evolution of ransomware and providing cutting-edge technology tools to businesses. They suggest that, as an additional prevention, every enterprise consider how to contain, rather than just prevent, a ransomware breach with network segmentation in addition to other strategies.
In part, network segmentation limits the volume of resources that an attacker can access by logically grouping network assets, resources and applications together into compartmentalized areas called segments and allowing only approved types of communication in and out of the segment. Segments that are physically separated from other segments and have no established link to allow interaction are known as segregated.
For example, devices involved with financial transactions should be fully segregated both logically and physically from devices that can surf the web.
The objective with security-minded network segmentation is to ensure that attackers have access to as few digital resources as possible. This technique will also help contain the potential damage from other types of cyber attacks.
Since departments and teams have different access needs, an enterprise should divide a network into segments and then controls each segment’s communication to the outside world. In addition, the enterprise should control communication between segments of the same network. With limited access between segments, an attacker’s movement to another segment is either stopped or slowed enough to allow monitoring tools to alert enterprise staff to the intrusion before massive harm is done.
To secure a segment containing sensitive information or data, an enterprise would simply prevent all communication and physical access, including but not limited to emails, websites, file sharing, cloud services and any external devices such as storage or mobile devices that have both external access and access to the network.
Failing to segment properly creates what is described as an "egg network," or a network that, like an egg, has a "strong perimeter surrounded by their soft, gooey, defenseless (data) yolks." Such organizations have false confidence in outward facing firewalls and other tools that protect the network's external perimeter while liberally allowing internal communication between network segments. An attacker who stumbles into such liberal access would be able to block and ransom large volumes of enterprise electronic resources.
Enterprise IT teams should also consider their network backup strategy. "The best line of defense against any ransomware is to have backed up your machines yesterday," says Kaspersky Labs. "Some ransomware variants are smart enough to also encrypt every backup they are able to locate, including those residing on network shares. That is why it is important to make 'cold' backups (read and write only, no delete / full control access) that cannot be deleted by the ransomware."
In the end, enterprises should ensure that their approach to network management reaches beyond efficiency and considers how best to leverage segmentation to thwart attackers and limit damage. Enterprises should confirm that staff members who are responsible for segmentation truly understand the security implications of the segmentation architecture. And business areas that are responsible for selecting software should draw security and IT resources into the decision-making process before a solution is selected and ensure that the vendor's implementation team has a strong background in the security of the software being purchased.