Why a new defense strategy is needed to stop ransomware
In February, the nation witnessed one of the most high-profile ransomware attacks in history, which led a major U.S. hospital to pay a $17,000 ransom to the hackers who seized control of the hospital’s computer system.
This wasn’t an isolated incident. Many more hospitals were infected by ransomware throughout the first half of the year, and even more are likely to be hit in the next six months.
Unlike most forms of malware, ransomware almost immediately encrypts all of the victim’s files as soon as it gains access to a system. Even the smallest vulnerability can result in total encryption and loss. This drastic effectiveness, paired with the low cost to entry for criminals to adopt ransomware-based attacks, means that unless an organization changes its approach to security, it’s only a matter of time until all its files are rendered inaccessible.
Hackers have found a way to exploit the true value of an organization’s data. After all, access to patient health records and other hospital administrative data is financially valuable. Not only does every healthcare institution have a legal and ethical duty to maintain access to this data, but to also keep it safe from prying third parties.
If, like most hospitals, an organization relies on detection-based security solutions, its data might be vulnerable. Network-based systems of detection have been seen as the most effective and thorough method of protection for years because there is something inherently attractive about being able to control all inflow into your systems.
Unfortunately, by using a single detection-based security solution, organizations highly increase their chance of infection. Even the most state-of-the-art detection-based software cannot defend against undetected infections, such as zero-day attacks.
Many forms of ransomware are starting to exploit vulnerabilities in programs such as Microsoft Word, or will lay dormant until they can guarantee they’re not in a virtualized environment to avoid detection. So while even the perfect detection-based systems may prevent many attacks, without additional layers of security, experiencing a data breach is only a matter of time.
With this in mind, there are several steps to guarantee the integrity of a security solution. While detection-based network security may help to provide a solid, outer shell of defense, the best way to block attacks that leak through the cracks is to secure the endpoint.
This may sound like an impossible task—after all, even the most state-of-the-art network security solutions have flaws—but the reality is the endpoint is easier to secure in its entirety. Namely, the endpoint provides the primary avenue for attackers to breach the network, so simply removing any possible vector for attackers to access the network eliminates any possibility of infection along with it. While this may seem daunting, it can be done surprisingly easily and cost effectively.
In order to remove attack vectors and provide protection, there are three key steps:
- The removal of administrator privileges is the first, and one of the most easily implemented, ways to block any sort of malware from accessing data. Malware often exploits administrative rights to embed in a system or disable security controls, something that is impossible without administrator rights. Our research shows 85 percent of all critical Microsoft vulnerabilities can be completely mitigated by simply removing administrator privileges.
- While many forms of network detection rely on blacklisting harmful applications, this can leave a system completely vulnerable to undiscovered, or zero-day, attacks. Instead, hospitals should implement a whitelisting approach that automatically blocks or disables any new installations or modifications of existing software. This strips the ability for ransomware and other malware to introduce malicious applications to the system.
- Organizations should implement endpoint sandboxing (isolation) any time an employee accesses unknown or untrusted content, such as through Internet browsing or downloading email attachments. By isolating all of these interactions away from sensitive data, even if ransomware is able to bypass the first steps, it will be completely unable to access or encrypt any data outside of the self-contained session of that sandbox.
Although securing the endpoint is one of the most effective ways to stop infection, there is still a place for network-based detection. Both network and endpoint security must be used in tandem, relying on an inter-reliant relationship to provide what’s known as “defense-in-depth.” This forms a much more impregnable defense that any hacker will struggle to bypass.
When it comes to enterprise security, organizations should look to start from the endpoint and build out. A bank doesn’t leave the vault door open just because they have a security guard on the door—it starts from the vault and layer security outward. If the endpoint isn’t secure, and security administrators do not ensure both systems work in tandem, organizations simply risk losing data, intellectual property, resources, money and invaluably, trust.