This past week the National Institute of Standards and Technology (NIST) published two draft publications to provide guidance on protecting against organization information technology assets against the increasing problem of ransomware. Since last summer there has been a large increase in the amount of ransomware that has successfully disrupted the operations of multiple local governments and agencies in Texas (https://www.npr.org/2019/08/20/752695554/23-texas-towns-hit-with-ransomware-attack-in-new-front-of-cyberassault), the Port Neches-Groves Independent School District (https://www.12newsnow.com/article/news/local/port-neches-groves-isd-recovering-from-ransomware-attack/502-3ead2091-8a39-4950-b398-04041a976389), and the City of New Orleans, Louisiana (https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-cost-new-orleans-7-million-and-counting/). Additionally, SR2 Solutions has had reports of multiple ransomware attacks and attempted attacks against small and medium companies in the private sector in the Southeast Texas region. This post will focus specifically on SP-1800-25 “Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events” (https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/identify-protect).
Why NIST Special Publications Matter
While NIST is not a regulatory agency with the legal authority to enforce requirements on the private industry, they are looked to by both public sector regulatory agencies and private sector professional organizations for guidance on their own requirements for their respective jurisdictions. The Federal Information Security Management Act (FISMA) and the Sarbanes-Oxley Act (SOX) both utilize guidance from NIST to control how sensitive information is to be stored and/or transmitted. Additionally, the Payment Card Industry Data Security Standard (PCI-DSS) ties directly to NIST for how to handle information associated with credit and debit cards. Health Insurance Portability and Accountability Act (HIPAA) also references NIST’s special publications as part of their Security Rule.
Because of these precedents and others, it is important to understand that NIST’s publications direct the technology industry, especially as it relates to cybersecurity, both in the private and public sectors. With the currently growing threat of ransomware it simply made sense for NIST to develop a publication on how best to face this threat. In the case of the two draft publication, 1800-25 and 1800-26, NIST worked with the private sector including well known technology companies like Symantec, Cisco, Tripwire, and others.
What is NIST Recommending: Identify/Protect
In the first publication, 1800-25, NIST has developed a framework for protecting your information technology BEFORE an attack occurs (https://www.nccoe.nist.gov/sites/default/files/library/sp1800/di-identity-protect-nist-sp1800-25b-draft.pdf). Of key importance in this document are the various capabilities that NIST recommends that every organization implements to protect their digital assets. We have listed these below with our own descriptions:
- Inventory Capability: it is important for an organization to know exactly what components make up their digital infrastructure. This was much easier twenty years ago when an office network only consisted of desktops, laptops, and maybe a fileserver. Now with the internet of things and mobile devices there are even more components operating on a network from smart TVs and smart thermostats to IP enabled security surveillance cameras. All of these additional components being added to the network are potential targets that can be used to spread malware across a network. It is therefore important for an organization to know their network as it grows and changes over the years.
- This capability can be easily performed by an internal IT department or a third party managed services provider.
- Vulnerability Management: after an organization knows the full inventory of their digital infrastructure they can then begin to identify the vulnerabilities of each item listed in the inventory. These vulnerabilities will be the same vulnerabilities that a ransomware attack could use to take over the organization’s network. By doing frequent vulnerability scans (we recommend every three to six months) those vulnerabilities can be mitigated, or in some cases eliminated by an IT department or managed services provider.
- We recommend the use of a third party contractor to perform these vulnerability scans/audits on a periodic basis.
- Policy Enforcement: the addition of a formal cybersecurity policy to an organization of any size can make good cybersecurity practices part of the culture of the company. This can include the enforcement of strong passwords, multi factor authentication, on boarding and off boarding of personnel, and many other areas in the culture of an organization that can become potential weak spots in the organization’s cybersecurity.
- Policy development can be put together with the help of an external cybersecurity professional. If the organization is in the private sector it is generally good to involve a cybersecurity professional with a background in the business world.
- Integrity Monitoring: the best way to describe this capability is like the monitored security system you use to protect your home or office. By continuously watching for key changes in the different systems identified in the Inventory capability, a ransomware attack (or other threats to data integrity for that matter) can be identified faster than simply waiting to receive the ransom note asking for tens of thousands to hundreds of thousands worth of bitcoin. It may even be possible with this capability to stop ransomware in its tracks if an organization’s integrity monitoring process is effective enough.
- This can be implemented through a variety of methods that can be commended by an in house IT department, third party service provider, or a cybersecurity professional. We generally commend the use of a cybersecurity professional for large or complex enterprises.
- Logging: logs are generated by the Inventory Capability, Vulnerability Management Capability, and Integrity Monitoring Capability to provide baseline data which assists in identifying active threats of ransomware and other forms of malware and can inform the Policy Enforcement Capability to be an effective balance between the needs of cybersecurity and the needs of the organization’s culture.
- Logging must be done consistently do gain the valuable data that it can provide. This can be implemented by an internal IT department or managed services provider.
- Backups: while it is stated over and over the need for backups by almost every cybersecurity article out there, it still cannot be overstated the importance of having an effective backup system especially as it relates to protecting against ransomware. In a ransomware attack it is generally the organization’s data that is the target of the attacker. If the organization has an effective backup system that cannot be infected by the ransomware, then the attacker will lose their leverage over the organization in compelling them to pay the ransom.
- On site and off site backups can be setup by an in house IT department or managed services provider.
- Secure Storage: this capability takes the backup capability further by encrypting the data to keep it secure against unauthorized access. Secure storage should also be used to protect data produced by the Logging and Integrity Monitoring capabilities as that is considered potentially sensitive data.
- Secure storage are generally available with most new hardware and software and can be enabled by an in house IT department or managed services provider. Customized secure storage can be developed by a cybersecurity professional with a background in software development.
- Network Protection: this includes, but is not limited to the use of firewalls. Firewalls can be an effective tool to protect an office network against direct attack from the internet. However, additional measures should be taken to prevent movement of malware within the network as well. Given that most ransomware is downloaded through social engineering methods such as getting an employee to click on a link in an email, an external firewall will not be enough. Some of the additional protections may include the use of virtual LANs to segment some devices away from each other, VPNs, and workstation firewalls.
- Network protection can be implemented by an in house IT department or managed services provider. It is recommended that a third party cybersecurity professional be brought in to assist and review their work.
- Blacklisting: this capability controls the allowed communications and applications within an organization. For example, visiting websites or emails from domains may be blocked or red flagged in some way because of the possibility of a threat. Some organizations that only operate within a specific region or country have totally blocked the access of IP address ranges from countries known for cyberattacks.
- This capability can be implemented by an in house IT department o managed services provider. However, it can be useful to involve a cybersecurity professional to give guidance on what should be blacklisted
NIST’s draft SP-1800-25 provides an excellent comprehensive framework for protecting against ransomware attacks. We highly recommend that organizations of all sizes and types adopt these policies as part of their day to day operations. It is the most effective set of capabilities to protect against ransomware as well as other forms of cyberattack.
The next post will discuss NIST’s draft SP-1800-26 which covers the important capabilities needed for responding to ransomware attacks against an organization.