See the original publication found in On Balance Magazine.
At some point in 2015, cybercriminals had an aha moment. Instead of going through all of the trouble of breaking into a network, stealing data and then executing a complicated scheme to monetize that data, they found a shortcut - and it was already paved.
Data encryption was touted as a defense against attempts to steal data, and companies implemented encryption to keep their data safe. It did not take long for the bad guys to figure out a way to turn those defenses around: Encrypt the data and hold the key for ransom. Already armed with methods to trick users into running things they should not, attack methods were created that locked companies out of their own computers, data stores and applications.
Faced with the prospect of being without key systems and data for long periods of time, criminals offered a quick fix: Pay us to fix it. Insurance companies often encouraged payments, calculating that it was more economical to pay upfront than to pay for rebuilding systems, covering lost revenue and buying new equipment.
The result was predictable. Criminals saw big pockets behind the companies they were attacking. They widened their attacks and increased the ransom demands. More criminals got into the game, realizing how profitable this venture was becoming.
The biggest question that companies are asking today is this: "Can we survive a ransomware attack?" To answer that, it is best to break the threat down to four questions:
The components of protection should be familiar, as they are the basic hygiene items needed to stop any cybersecurity threat:
• Privileged access or admin access to devices throughout the network should be limited, with specialized accounts set up for local administrator tasks. When many users have admin access to many machines, ransomware spreads like wildfire.
• Access to file shares across the network should be only as-needed. Ransomware will look to encrypt whatever files the user who launched it can see and change. If the infected user has limited rights on file shares, the damage that can be caused will be limited.
Malware normally finds its way onto computers that are missing patches. Ransomware is no different; yet patching continues to be a shortcoming in many organizations' defenses. The keys to having an effective patch management program are to:
• Ensure ALL operating systems and platforms are covered by an automated patching system.
• Ensure ALL applications are covered by an automated patching system.
• Perform scans routinely on all systems in the environment to confirm the automated patching systems are functioning as intended.
Organizations need to have current and up-to-date technology defending endpoints. Anti-virus applications installed and forgotten five years ago do not meet this requirement. Make sure the endpoint protection system is actively monitored to ensure components are current and protections are not disabled.
When commercial buildings, hotels and homes are built, codes have to be followed for a number of reasons, one of which is to ensure that fires have difficulty spreading from room to room and floor to floor. A computer network should be no different. Networked devices in one department should be able to see networked devices in another department only if there is a justified business requirement.
One of the most important aspects of limiting the damage of a ransomware attack is to know when it is happening. Following are the key steps to sharpening any company’s detection capabilities:
"How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack."
How an organization responds to a ransomware attack directly affects the amount of system damage caused by the attack. That response also affects the damage to its reputation with customers and the morale of its employees. This is where a formal incident response plan (IRP) is essential. The basic components of the IRP should include:
• Defined members of an incident response team (IRT).
• Contact information for external resources (such as the media, law enforcement and third-party consultants).
• Templates for communicating with employees, customers and vendors.
Specific to ransomware, the IRP should have a playbook for procedures related to a ransomware attack. Such a playbook can be designed through a tabletop ransomware exercise. This playbook will be unique to the organization with steps specific to the IRT members. Steps should include:
• User actions when ransomware is suspected.
• Specific steps for isolating network segments or systems.
• Communication steps with members of the IRT.
Recovering from a ransomware attack normally involves one of three options.
To be viable, backup systems and images cannot be compromised by the ransomware. Attackers will often look to encrypt backup systems first so that a system restore is not possible. To protect the ability to recover systems and data, organizations should:
• Maintain protected gold images of systems to ensure restoration to a known trusted state.
• Keep copies of data backups that cannot be overwritten and are disconnected from the production network.
Some companies are forced into this solution. Some look to it as the path of least resistance. There are risks that come with this choice: Will the decryption key be effective? Criminals realized early on that it is more profitable in the long run to provide the key. That does not mean it will be useful. In the case of the recent Colonial Pipeline attack, a large payment was made only to find the decryption tool was too slow to be of use (Morse, 2021). Unfortunately, if you're attacked once, you may be attacked again. A recent report indicated that 80% of businesses that paid to recover from an attack experienced a subsequent ransomware attack (Yu, 2021).
This is the most painful scenario, normally chosen when backups cannot be restored and/or the purchased decryption key is not working.
Hopefully, this guide helps you to understand and prepare for these attacks. The tactics of the criminals continue to escalate with the release of captured data and the use of personal attacks on corporate executives to compel payment. Our efforts to resist need to meet these threats.
Microsoft Secure Score. If you’re an IT administrator or security professional in an organization that uses Office 365, then you’ve no doubt used the tool or at least heard the term. It started as Office 365 Secure Score, but it was renamed in April 2018 to reflect a wider range of elements being scored.
What does it do? The tool looks at configurable settings and actions primarily within your Office 365 and Azure AD environment, and awards points for selections that meet best practices. In their words, “From a centralized dashboard you can monitor and improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure.”
But what doesn’t Microsoft Secure Score do? Microsoft is very good at telling you the great things its products can do, so I won’t repeat them here. The concept is sound, and I applaud them for giving users a tool that prioritizes secure configurations. They have come a long way from having auditing turned off by default in their products, e.g., Server 2000. I will point out why Microsoft Secure Score isn’t enough when it comes to understanding and testing the security of your Microsoft 365 environment.
I am a Certified Public Accountant (CPA), and as such, I’ve spent a good portion of my life performing audits and assessments. A key independence rule CPAs abide by is: an auditor must not audit his or her own work. Microsoft isn’t exactly independent when scoring its own product’s settings and capabilities. The financial motivation exists for Microsoft to setup a scoring system that makes users feel good about using Microsoft products. Interoperability and performance will always be a higher priority than security.
This fact is furthered by the scoring system setup, which unlocks higher point opportunities with higher priced subscriptions. For example, Microsoft Cloud App Security and Azure Advanced Threat Protection are unlocked with E5 licenses, or as a $5.50 per user per month add on to an existing E3 license. This can be as much as a 70% price increase. If you want more chances to raise your overall score and have a higher score ceiling, spend more money…a very beneficial side-effect for Microsoft.
Also, remember that Secure Score is reflective of a Microsoft opinion and their subjective value for security controls they believe are important. This differs from widely accepted standards from organizations like NIST (National Institute of Standards and Technology) or CIS (Center for Internet Security) which are vendor neutral and have been refined, improved, and evolved over time.
First let me say that Secure Score can be dented and bent to fit different environments. Scoring for certain areas can be manually entered if you have a third-party solution for a control. It will be incumbent on the person checking those controls to match what Secure Score is asking for. This is an all-or-nothing proposition as indicated within Secure Score, “Marking as resolved through third-party indicates that you have completed this action in a non-Microsoft app, and will give you the full point value of this action.”
This is a key area where the Secure Score blanket fails to keep all areas of the entity covered and warm. There are bound to be components and configuration requirements that don’t quite fit what Secure Score evaluates or how it is scored. Think of the myriad of application combinations to handle Customer Relationship Management (CRM), Mobile Device Management (MDM), Security Information and Event Management (SIEM), Data Loss Prevention (DLP), and Multifactor Authentication (MFA) just to name a few. An independent assessment of the environment that references best practice hardening guides for specific products comprising the solution is the only way to complete a proper evaluation.
Reason number 3: Security is a journey, and a scorecard makes it a destination.
Don’t get me wrong, I like scores and grades. CPA’s generally like to measure and quantify things. Secure Score quantifies security, gives you trends over time on your score, and even allows you to measure your score against others based on a global average, industry average, and similar seat count average.
What I don’t like is how the scores can be manipulated, or how they can be construed. If the O365 administrator wants to improve their percentage of points achieved, the simplest way is to select “ignore” for the scoring areas that they have earned 0 points. Per Secure Score documentation, “Once you ignore an improvement action, it will no longer count toward the total Secure score points you have available.” Lower the denominator, keep the numerator, and poof! We are more secure. Or are we?
Executives looking at a scorecard may also be satisfied once it has reached a certain percentage of the total available. A project which will move the Secure Score from 650 out of 807 points to 710 out of 807 points appears to make the company about 8% more secure to a non-security decision maker handling the company budget. That project may not make the cut. In reality, any scoring shortage could represent a critical configuration issue that puts information assets at risk. That point may get lost if the focus is score.
We hear stories all the time about breach activities that were being reported by automated logging systems, except no one was looking at the logs. IT management puts a tool in place and checks a box that implies the organization is secure in that area. Secure Score is ripe for this. Several improvement actions that will increase your score involve reviewing reports. When a link for a report is clicked, Secure Score assumes the report was reviewed and awards points. To keep the points, the link must be clicked within specific time intervals from within the Secure Score user interface, but this process does not record what was reviewed, or any notes or actions resulting from the review. There is no substitute for the actual review process and confirming that the review is happening.
Also consider an environment made up of multiple applications from different vendors where automated security evaluations, like Secure Score, are put in place. Each application that makes up the system interacts with other applications, potentially creating security control blind spots. For example, an email system that hands-off outbound email to a 3rd party DLP solution. Are there security holes in the process that transfers data in and out of the DLP application? Identifying those weaknesses requires a wholistic view, measured against current accepted best practices, that just isn’t offered by Secure Score or any other automated solution.
In conclusion, I think Secure Score has a place in monitoring and evaluating an organization’s information security posture. Microsoft is taking recommendations from its user base and is working to improve Secure Score’s results and widen its coverage. It is a barometer of an information security environment that could produce important information when properly utilized.
The bottom line though is that it is just one tool. It cannot replace a diligent information security program; or at a higher level, an information security management system. Independent assessment and review of controls, policies, procedures, and the people managing the environment work in tandem to assure the confidentiality, integrity, and availability of an organizations information assets. Consider the diversity of an organizations landscape:
These areas are all interdependent, yet all have their own unique traits and ways to be assessed and secured. No one measurement tool is enough.
By Jeffrey T. Lemmermann, CPA, CISA, CITP, CEH - Information Assurance Consultant