Introduction
Okay, we are seeing a significant increase in the number of successful ransomware attacks and it would appear that organizations are struggling to keep themselves operational and profitable, whilst managing to reduce the risk of becoming the next victim of a successful ransomware attack.
Despite ransomware being a significant threat to an organization’s operational resilience, many businesses have not carried out included a detailed ransomware risk assessment, so that they understand the Ransomware Playbook (including the tactics that might be used) and how they should respond so that they are able to proactively defend against such ‘plays’.
Consequently, businesses attempt (often in vain) to mitigate this risk through the enhancement of their patching practices but what if the operations are in conflict with these practices?
This is where an effective Risk Balance Case can help you to identify the threat and to develop informed-based mitigation measures.
Developing An Effective Ransomware Risk Balance Case
If an organization the size and magnitude of Microsoft (MSFT) can be breached, it is best to presume that you will be breached. The reality is that, with such a prevalent threat, you may only be a missed update, a click, or a compromised credential away from disaster.
With the presumption that you are going to be breached, the focus of your RBC is not to stop the ransomware attacks but, rather, to help you limit the damage that can be caused by such an event.
With an effective RBC, the ‘Devil Is In The Detail’:
RBC Section 1
Asset Management
As with every defensive strategy, you need to know what needs to be protected so that your activities can be prioritized.
What assets are at risk?
- Which assets are important to your business?
- What are the categories of the assets?
- What is the role of the assets?
- What are the associated assets?
- In which network zone are the assets (e.g., Internet-facing, De-Militarized Zone (DMZ), Internal Network, Secure Silo)?
- How well are these network zones segmented?
- Are these assets documented in a network topology diagram, data flow diagram, and asset inventory?
Overview of the Risk
Provide a clear and concise description of the risk and how this relates to the identified assets. Remember that the decision-makers may not be technical, so keep the language simple and relatable to the business.
- Describe why this is important and make it clear so that they understand that a suitable risk response needs to be decided upon.
Why does this Risk Exist?
Add some additional context to the risk description, by explaining how the business operating model, threat landscape and any vulnerabilities may contribute to this risk.
Impact Statement
Here you really need to avoid sounding like a ‘Drama Queen’ or ‘Chicken Little’. Try to provide a realistic and plausible description of the potential impact that ransomware might present, should the network be compromised.
Duration of the Risk:
Provide a forecast on how long you think that this real risk may persist.
Task:
Describe what needs to be achieved to reduce this risk.
Intention:
Describe the objective that needs to be achieved from the risk response options.
Worst Case Scenario:
Provide a description of the worst-case scenario, in the event that such a risk was to occur so that the decision-makers can better understand the true gravitas of the risk.
Policy:
Identify the corporate policies that are already in place to help mitigate this risk.
Broken Latch to 2nd-Floor External Office Window RBC
As an example, below, I have created the detail element of an RBC, against the scenario of a broken window latch. Hopefully, this will help to demonstrate the process and show the potential benefits for such an approach:
What assets are at risk? | All the valuable and attractive electronic items are located in the room, behind the window. |
Overview of the Risk | The building with the broken 2nd-Floor external window latch is located in an area of high burglary rates and there is a heavy rainstorm forcasted. |
Why does this Risk Exist? | Not being able to securely close the 2nd-floor window can allow rain to enter the room or allow unauthorized access by a burglar. |
Impact Statement | The insecure window could allow the rainstorm to cause water damage to the electronic goods or allow a burglar to steal the electronic goods. The electronic goods are estimated to be worth ££££. |
Duration of Risk: | The burglary risk has no forecasted end date. However, the rainstorm is forecasted to only last for approximately 6-hours. |
Task: | To find and implement suitable temporary mitigation for the broken exterior window latch. |
Intention: | As this is a 2nd-floor exterior window, it is proposed that the window be wedged shut using paper, whilst I replacement window latch can be ordered and fitted. |
Worst Case Scenario: | The insecure window prevents the rain from coming through and damaging the expensive electronic goods or a burglar happens to notice the broken window latch and climbs in through the insecure window to steal of the expensive electronic goods, held within the room. |
Policy: | Physical Access & Security policy. |
Identify Suitable Ts (Treat, Tolerate, Transfer, Terminate) For Risk Mitigation
Identify the available mitigating options. Discuss the RBC with the Technology Assurance and GRC representatives to obtain clear direction; if these representatives have indicated that they wish to Treat a risk, provide Courses of Action (CoA) that result in treating the risk.
It is important to ensure that all the CoAs are viable and plausible, rather than only presenting them with one option and some throwaways. For example, take the scenario of choosing the most appropriate CoA for the scenario of choosing a suitable family car:
- All of these are cars and have 4 seats but only 1 is really an option that fulfills the requirement.
CoA 1
Treat. Apply the CIS Community Defense Model v20 (designed to help mitigate the risks of ransomware) against the identified at-risk assets:
4.1 Establish and Maintain a Secure Configuration Process
6.1 Establish an Access Granting Process
6.2 Establish an Access Revoking Process
4.7 Manage Default Accounts on Enterprise Assets and Software
5.3 Disable Dormant Accounts
5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts
2.3 Address Unauthorized Software
3.3 Configure Data Access Control Lists
5.2 Use Unique Passwords
4.4 Implement and Manage a Firewall on Servers
4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure
14.1 Establish and Maintain a Security Awareness Program
7.2 Establish and Maintain a Remediation Process
7.1 Establish and Maintain a Vulnerability Management Process
7.3 Perform Automated Operating System Patch Management
7.4 Perform Automated Application Patch Management
14.2 Train Workforce Members to Recognize Social Engineering Attacks
14.6 Train Workforce Members on Recognizing and Reporting Security Incidents
6.5 Require MFA for Administrative Access
6.4 Require MFA for Remote Network Access
11.3 Protect Recovery Data
10.2 Configure Automatic Anti-Malware Signature Updates
10.1 Deploy and Maintain Anti-Malware Software
6.3 Require MFA for Externally-Exposed Applications
11.4 Establish and Maintain an Isolated Instance of Recovery Data
14.3 Train Workforce Members on Authentication Best Practices
4.5 Implement and Manage a Firewall on End-User Devices
3.1 Establish and Maintain a Data Management Process
3.2 Establish and Maintain a Data Inventory
5.1 Establish and Maintain an Inventory of Accounts
11.2 Perform Automated Backups
2.1 Establish and Maintain a Software Inventory
14.4 Train Workforce on Data Handling Best Practices
2.2 Ensure Authorized Software is Currently Supported
11.1 Establish and Maintain a Data Recovery Process
8.3 Ensure Adequate Audit Log Storage
10.3 Disable Autorun and Autoplay for Removable Media
12.1 Ensure Network Infrastructure is Up-to-Date
9.2 Use DNS Filtering Services
8.1 Establish and Maintain an Audit Log Management Process
3.4 Enforce Data Retention
14.5 Train Workforce Members on Causes of Unintentional Data Exposure
4.6 Securely Manage Enterprise Assets and Software
8.2 Collect Audit Logs
9.1 Ensure Use of Only Fully Supported Browsers and Email Clients
CoA 2:
Treat: Evaluate and monitor the effectiveness of your business’ security controls framework (e.g., NIST Cyber Security Framework (CSF)) against the identified at-risk assets:
CoA 3:
Tolerate: Do nothing more than ensure all identified assets receive timely updates.
CoA 4:
Transfer: Back-up all critical data assets to the Cloud and take out appropriate Cyber Security Insurance.
In this scenario, the 4th T (Terminate) becomes an unviable option, as to terminate the risk of ransomware the business needs to avoid using technologies that are in any way connected to the internet.
Broken Latch Mitigation Options
Having established the context of the risks for a broken window latch, now you can start to present your range of risk responses:
CoA 1 – Treat | Place folded up wedges of paper into the window frame and then close the window, The paper will help to keep the window from swinging open.Advantages: The window can be temporarily secured.Disadvantages: Although the window may appear secure, a burglar can still can entry.If there are high winds in the rainstorm, the window may work loose from the paper wedges. |
CoA 2 – Tolerate | All things being considered, the chances of a burglar climbing up and through a 2nd-floor window and the chances of rain damage are regarded to be very low.Advantages:No cost or effort is needed.Disadvantages:The actions of a burglar are unpredictable and all the valuable electronic items could be stolen.Heavy rain coming through the open window could ruin all the valuable electronic items. Should this risk occur, the replacement costs could be ££££. |
CoA 3 –Transfer | Add extra contents cover to the building insurance. Advantages:Should the worst happen, you can recover some of the costs to replace these valuable electronic items.Disadvantages:In the event that the rainstorm is not as bad as forecast and the rain does not come in through the window, there will be no return for the insurance paid.If the burglar does not see the insecure window, the insurance premium will prove to be an unnecessary expense.The insurance policy may still not cover the cost of any lost valuable electronic items, should the insurance company deem the failure to fix the broken latch as being negligence – making any claims nul and void. |
CoA 4 – Terminate | Call out a window specialist to replace the broken window latch.Advantages: The window can be permanently secured.Disadvantages: This is the most expensive option.A window specialist may not be immediately available.They might be an additional call-out cost.The window latch may not be available, compatible or the same as the remaining window latches. |
Covering Your Backside
Finally, provide the business with your recommended risk response and remember that the business may disagree with your recommended CoA.
- They may even have an idea for a CoA of their own!
Which is fine and well within the business’ prerogative but ensure that the business’ preferred risk responses are signed off by someone with the appropriate responsibility and accountability. Choosing the right correct risk response may be:
“Above Your Pay Grade!”
Section 2: Recommendation and Risk Owner’s Decision
Risk Appetite.
Only complete Section 2 if the risk is within the Business Department’s delegated Risk Appetite; RBC’s relating to Data Security are passed directly to GRC. If the risk is beyond the Business Department’s delegated Risk Appetite, complete and forward the RBC to GRC who will pass it to the relevant Risk Owner.
Risk Advisor Recommendation. Make a recommendation with a supporting comment. Identify similar risks and provide comments on compliance with previous decision conditions. | It is recommended CoA 1 be accepted for the following reasons: |
Name: | |
Job Title: | |
Date: | |
| |
Risk Owner’s Decision. | |
Name: | |
Job Title: | |
Date: | |
| |
Date of next review | |
Conclusion
No longer is it acceptable for businesses to ignore the ransomware threat and to just hope that it either goes away, or they are lucky enough to avoid becoming the next victim.
Business leadership teams need to proactively look at how they can suitable risk manage the ever-present ransomware threat, to ensure that they fully understand and appreciate the implications so that they are able to make an informed decision as to which approach, which reduces the risks to levels with which they are most comfortable with (within their risk appetite levels).
There are several options for reducing the risks of ransomware and each has its own Advantages and Disadvantages but by presenting all of the viable Ts of risk response you are showing the decision owners that you have extensively researched the topic and are presenting those that you believe will be the most appropriate for the business.
This then allows the decision-makers to make an informed choice on what they believe to be the best CoA.