I’m sure you heard about the ransomware attack that held the city of Atlanta hostage. It took down a number of government networks and as Threatpost reported:
… crippling government websites that process payments and relay court information.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
All for $51,000 in bitcoin.
As a result of the multi-day attack, the Atlanta workforce had to turn off their computers and use old-fashioned pens and paper. And I’ve seen a lot of commentary like this from Lamar Bailey, director of security research and development at Tripwire:
Your best defense against ransomware is basic security hygiene and foundational controls. Ransomware needs an opening to gain access so make sure high severity vulnerabilities are remediated. Servers hosting critical applications should be locked down and hardened. Intrusion Protection products should be inspecting all traffic. Once an attack happens there are only a few options to pay the ransom which may or may not work, including restore from a backup, or rebuild the system.
Bailey is spot on with his commentary. But the more I hear about the attack, the more I wonder if there was a serious meltdown in basic risk management. City officials were warned well in advance that an attack was inevitable, CBS News reported:
In the 41-page audit, which was presented to city leaders last summer, the city was told that its IT department was on life support and that were no formal processes to manage risk. The document states, "the large number of severe and critical vulnerabilities identified has existed for so long the organizations responsible have essentially become complacent and no longer take action."
With risk management tools in place, the networks affected by the attack would have automatically addressed those vulnerabilities, updated the scan software and installed patches, and generated secure backups. With the audit in hand, leadership could have prioritized tasks as needed.
This isn’t the first time ransomware has raised questions about risk management processes in an organization. After WannaCry took down so many networks last year, Compliance Week pointed out:
this cyber-threat du jour has sparked fresh debates on regulatory obligations and notification mandates. It also offers, once again, valuable lessons in risk management and the need to break down corporate silos.
This isn’t going to be our last ransomware rodeo. In fact, as ransomware attack methods evolve, it’s going to get worse. Not having risk management tools in place may make you more susceptible to being a victim.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba