“Defending against ransomware is not rocket science”, so says Sir Jeremy Fleming, Director, GCHQ. He made the statement at the Cipher Brief Annual Threat Conference. It is a long-overdue statement from someone as important as Fleming. The reason it’s important is the current sales hype from cybersecurity vendors. Everyone is selling products to protect you from ransomware as if it were different from doing cybersecurity properly.
Backing up his statement, Fleming said: “We know that if you do fairly basic cyber security, if you are really clear at an organisational level about things that you need to protect and if you are very diligent in implementing the guidance of your cyber security professionals and your technology partners then you’re going to protect yourselves or at least make you harder than competitors and therefore you won’t be as much of a target.”
Fleming continued by telling the audience that there are basic steps they can take to protect themselves:
- Back up your data
- Make sure you’ve got your admin sorted out
- Make sure your passwords are properly protected
- Work out where your thresholds are
- Think in advance how you would respond if you were approached for ransom
He went on to reiterate: “It’s just basic stuff.”
Technology design also has to get better
Fleming also made the point that “we have got to design the technology better. That’s quite a strategic thing to do to make it less vulnerable.”
Fleming’s statement is absolutely on point given the number of supply chain attacks that we are seeing. The vast majority result from code vulnerabilities where companies are not doing enough to test and secure their code. Many also rely on weak processes that allow attackers to gain access to vendors codebases, insert malicious code and then have it distributed by the vendor. Think NotPetya, SolarWinds and BQE.
All of this has led to a surge in attacks. Fleming made the point that ransomware attacks doubled last year. He went on to say: “The reason it is proliferating is because it works. It just pays. Criminals are making very good money from it and are often feeling that that’s largely uncontested.”
For cybercriminals, it is not just the ransomware that pays. Most attackers have now pivoted to massive data exfiltration before locking down systems. It gives them leverage against companies by threatening to release sensitive data. That data can also be sold to other attackers for exploiting in different attacks.
Cut off the money
Fleming sees one solution is to make it pay less. If the cybercriminals cannot make as much money, it is not as attractive an attack vector. It sounds like a plan but cutting off the money pipeline isn’t necessarily that easy. As Fleming pointed out: “I’m pretty clear from an international law perspective, and certainly from our domestic law perspective you can go after them. But there’s a lot of things here that need to go fall into place to make that happen. We’re quite a long way off really addressing the profit model which is making this just so easy for criminals to exploit at the moment.”
It sounds simple but is it? It will be interesting to monitor the new laws in the US to force companies not to pay and also disclose attacks. Will that work? What if the company pays through a subsidiary? How will insurance companies respond when they are faced with massive cyber insurance claims?
Enterprise Times: What does this mean?
It’s about time someone talked common sense about ransomware. The carving out of it as a specialist tool area by vendors is simply opportunism at its best. If the cybersecurity products they already sold were good enough, most ransomware attacks wouldn’t get started. Do the basics right, and you become a much harder target. In the words of a certain meerkat, it’s simples!
It’s also notable that Fleming was circumspect about his criticism of the technology. He could have gone much further and pointed out that technology vendors have all too often sidestepped their responsibilities. No vendor takes responsibility for vulnerabilities in their code because their licence agreements absolve them. A simple change to the law requiring them to meet the same liability standards of other products such as white goods and cars would improve things.
What will be interesting is to see if the moves by the US to cut off the money flow will work. The jury is out on that.
For now, however, organisations need to pay more attention to security basics, including better staff training and, importantly, engagement. You are a sitting duck if you cannot get your staff to buy into your security processes.