How do you protect your organization from the sophisticated and growing threat posed by ransomware-as-a-service (RaaS)?
Well, there’s good news and bad news. Let’s tackle the bad news first.
There is no magic technology you can purchase that will protect you from today’s threats. There’s no software or appliance that can detect and stop every possible way you might be compromised. And contrary to popular belief, there is no Managed Security Service Provider (MSSP) that can fully protect you.
Traditional managed security services provide a great foundation for most institutions, but they won’t stop today’s threats like a targeted RaaS attack. You need more than traditional MSSP services and you’ll need to handle, or at least tightly oversee, several aspects yourself.
The good news is that you don’t have to purchase a new, expensive security technology to combat today’s threats. In fact, the best way you can protect your organization is to ensure some critical basics are locked down by you and your service provider(s).
According to Microsoft’s latest Cyber Signals report, “over 80% of ransomware attacks can be traced to common configuration errors in software and devices”.
In other words, security products and services are important, but ensuring proper lockdown and configuration of your environment is paramount. While covering every common configuration error is beyond the scope of this post, let’s look at a few of the most critical areas you should address ASAP.
Calling credentials the “keys to the kingdom” has become cliché, but the importance of this topic cannot be overstated. You must be hyper-vigilant in securing all the credentials in your environment, and most organizations don’t go far enough.
Some common credential misconfigurations include:
- Users having more access to system, application, and network resources than needed
- Services, scheduled tasks, and applications using highly privileged service accounts
- Overuse of domain administrator accounts
- Use of local administrator accounts and/or using the same password on local admin accounts
- Not monitoring login events properly
- Not fully auditing your application and network credentials
- Not strictly requiring MFA and/or passwordless authentication for all logins
The above is not an exhaustive list. The most common issue we see related to credential hygiene is that many organizations don’t have a firm grasp on all their credentials and the related permissions. If you do not have exhaustive User Access Management audit and oversight processes in place, start there. Most organizations need more help finding, addressing, and managing credential issues than they realize, so get help from a trusted service provider where needed. Speaking of service providers, their credentials and access to your environment should get even higher scrutiny.
It’s hard to believe that patch management is still a topic in 2022, yet time and again, we see successful attacks exploit a known vulnerability for which a patch has long been available.
One of the most common statements I hear from organizations is some version of, “We handle patches internally, but we take our time to avoid impacting the users or breaking things.” This was a common approach several years ago but is no longer acceptable. Put simply, if your organization is not capable of deploying high-criticality patches to all your systems and applications within 72 hours, then get help from a trusted service provider who can take on this important duty.
Outdated Systems and Applications
If your systems or applications are outdated enough, there are no patches coming and you have a major security risk on the network. I’ve personally spoken to organizations still running Windows 7 (end of life as of January 2020) and others even using EOL firewalls. Any device or application that is no longer supported by the manufacturer for security updates must be replaced immediately. In almost every conceivable case, the risk to the organization far exceeds the upgrade costs.
Ongoing Governance and Management
Even for financial institutions, ongoing governance and management of information security is often a challenge.
For example, once you have your credentials properly audited and locked down, you still need clear processes in place to ensure they remain that way. Your vulnerability scans must be running frequently enough (hint: at least weekly), and any high-severity vulnerability should require an actionable response/mitigation plan.
Patching, EOL avoidance, service provider oversight, user training, log monitoring, exception reporting – the list of ongoing governance and management topics is enormous. Ongoing governance of the entire information security program is another area where most institutions could use expert help and far too many try to handle it in-house. The topic, and expertise required, is simply too broad for all but the largest institutions to handle alone.
A good service provider can not only help you lock down your environment and fix common configuration errors, they can also help you oversee and manage all aspects of your information security program on an ongoing basis.