Feature Story

Holding data hostage: How to beat ransomware before it's too late

by Blake Snow

how to beat ransomware

This year, ransoms paid to reclaim valuable data totaled more than any other malware in history. What can defenders do about it?

Ransomware was a big deal this year. In 2016, ransoms paid to reclaim valuable data totaled more than any other malware in history, according to Cisco's most recent cybersecurity report. That trend will worsen and soon spread faster to entire networks and even limit CPU usage and command-and-control actions in the event of ransoms, experts predict.

In the face of these sophisticated network attacks, limited resources, aging hardware, and outdated software are largely to blame, the report found. The ability to detect and reduce comprised data is another, especially as attackers increasingly mask their activity with encryption.

See also: Ransomware: The race you don't want to lose

Because of this, organizations take up to 200 days on average to identify new threats. For attackers, more time to operate undetected results in more "hostages" and ultimately more profits. To increase their booty, these pirates are also moving from limited client-side exploits to wide-reaching server-side attacks.

What can defenders do about it?

"Ransomware is best thwarted by having solid network hygiene, maintaining competent backup and restore procedures, and ensuring you have the visibility to observe an outbreak before it can corrupt your processes and backups," says Jason Brvenik, principal engineer of business security at Cisco.

See also: Why CFOs should spend more on cybersecurity

For example, Brvenik says attackers are less likely to target automatically patched or updated software and newly issued hardware because exploits for them haven't been discovered yet or have already been patched. In other words, he who is slowest to update technology is more likely to find themselves in the crosshairs of ransomers.

It also helps to know low-hanging ransoms, he says. According to the report, top targets include Adobe Flash, JBoss, Windows Binary, Facebook, Java, HTTPS, Apache, and OpenSSH vulnerabilities. You won't know them all, of course. But with the right infrastructure and detection, IT professionals can easily persuade attackers to move to easier targets.

That can be achieved with a focus on the following, Brvenik says:

  1. Improve network hygiene.

    This can be done with improved network monitoring, automatic deployment of patches and upgrades (as is the case with Google Chrome), and next generation firewalls, IPS, and email and web defenses.

    Defend strategically instead of haphazardly.

    By leveraging an architectural and integrated approach to security, organizations can reduce backdoors and security holes that are often found between niche or single-use security products.

    Reduce time to detection.

    First off, you must measure time to detection and insist on the fastest time available to uncover threats, Brvenik says. To do this, you must make metrics a security policy going forward.

    Protect your users everywhere they are.

    Not just when they're on the corporate network, but everywhere they go with the help of password managers and best-security practices for all kinds of software and hardware they may be using.

    Routinely test the effectiveness of backup data.

    Don't just backup and hope for the best. Confirm that your backups aren't susceptible to compromise and test them as if your data was being held ransom.

    Uninstall and disable unused software and hardware.

    Sticks and stones may break bones but unplugged and decommissioned tools can never hurt you.

    Do not click on suspicious links or files.

    A little education and a lot of reminders go along way here, Brvenik says. That said…

    Stop blaming victims.

    It's not your employees' fault you got hacked, Brvenik says. Password policies and believing in absolute protection will never save you. Yes, training is important, but not as important as fast-acting monitoring, automatic patching, and using the latest available tools with built-in fool-proofing.


The contents or opinions in this feature are independent and may not necessarily represent the views of Cisco. They are offered in an effort to encourage continuing conversations on a broad range of innovative technology subjects. We welcome your comments and engagement.

We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.