Ransomware: The NSA’s Top 10 Mitigation Strategies (and More)

2016年8月3日

Phil Richards | Chief Security Officer | Ivanti

The US National Security Agency (NSA) has issued a set of 10 prioritized security measures it recommends to combat ransomware and assure information security. The NSA has also collaborated with 13 other federal government agencies to produce anti-ransomware guidance for small, medium, and large organizations. Join LANDESK Chief Security Officer Philip Richards and Senior Product Marketing Manager Michael Dortch to learn details about these recommendations, and how LANDESK can help you to take advantage of them at your enterprise.

Transcript:

Introduction

Michael: Agracious good morning, good afternoon, or good evening, depending on where inthe world you happen to be at this particular moment. Thanks for joining us foranother LANDESK webinar today. Today's subject, as you should be able to see onyour computer screens right now, is Ransomware: The NSA's Top 10 MitigationStrategies (and More). My name is Michael Dorch, I'm a senior product marketing managerhere at LANDESK, and I have the honor of being your host today. I'll be joinedin a few minutes by LANDESK's Security Officer, Phil Richards. But before weget started, just a little housekeeping. We will be conducting a few pollsduring this event, so if you have a smartphone or can open a separate browserwindow, head on over to this address pollev.com/landesk. That's where you'll beable to respond to the poll questions as we toss them out there for yourconsideration. 


Also, you should see a Q&A window in your WebEx window. If you havequestions, please type them into the Q&A window. We'll get to as many of thoseas we can at the end of this session. If we have questions that we can't get toor you need follow-up, we will follow up with you via email within the next fewdays. Also, everyone who's registered for today's webinar will be getting an emailin the next few days that has a link to the on-demand version, so you can sharewith your colleague or just enjoy it again if you want to do either or both ofthose. 

What is ransomware?


With that, let's start the discussion by answering the question exactly what isransomware? This is basically what ransomware is: you log on to your computer,you're doing your work, you're opening your email, you're doing everything, andall of a sudden, you see a window that looks something like this. Some bad guyor bad person, because we don't want to be a sexist in the world ofcybersecurity, some malfactor has implemented malware on your system thatencrypts all of your important files, and they want you to pay them for thekeys to un-encrypt those files.

Now, unless you've been away for the past, I don't know, 12 to 15 months, youprobably already heard of ransomware, but there are some trends you need toknow about. One is that although most ransomware attacks initially targetedconsumers, interestingly enough, ransomware attacks are increasingly beingtargeted at organizations and enterprises. And the ransom demands, according tosome research that we've seen, the ransom demands on average have doubled sincelast year. Oh, and another trend, ransomware is now a business. You can now goon to what's called the dark Web, the place where hackers hang out, and buysoftware kits for deploying ransomware just like you can buy prepackagedapplications like games, like Pokémon Go, or anything like that. You can buysoftware kits that let you deploy and distribute ransomware in an almostautomated fashion. 

This is incredibly frightening if you are not a malfactor, because it meansthere are kits out there that let amateurs go out and deploy ransomware. But theamateurs aren't who you need to worry about. There are people out there who aredoing ransomware as a business. You may have read that INTERPOL and theNigerian authorities recently captured a team of people who have beenresponsible for a lot of those Nigerian prince email scams that you see, youknow, "I've got a gazillion dollars I need to free up and if you just sendme this much money to help me get it free, I'll share it with you." 

Those people are reportedly responsible for stealing more than $60 millionbefore they got caught. As the late Senator Everett Dirksen used to say,"A billion here and a billion there and soon you're talking about realmoney." Well, $60 million is real money. So ransomware is not only agrowing deal, it's already a big deal. The thing about ransomware that's mostscary is that it gets into most systems via emails. Emails that look legitimate,emails that induce people to click on a link or an attachment that deploysransomware on their systems. But that's not the only way it gets in. There’scrypto ransomware which doesn't even require you to click on a link. Once itgets in your system, it finds a way in and starts to install malware anddistribute it across your networks. The ransomware threat is growing andevolving on a daily basis. That's basically a layout of the scope of theproblem. 

Symantec recently published a report, The Internet Security Threat Report,Special Report: Ransomware and Businesses. You can see what it says here, andthe losses are likely to run to hundreds of millions of dollars, probably assoon as the end of this year, or before. Ransomware is both a disease and asymptom of a larger problem. This is something that was published in Forbes in April of this year. When youhave board members who can't read cybersecurity reports and who say they feelno responsibility for the consequences of being hacked, and yet hacking iscosting the US alone approximately $5 trillion a year.

 Ninety to 95 percent of all hacking beginswith a phishing email, an email that purports to be legitimate and asks you todo something that ends up installing malware on your system or bringingransomware into your network. This is the reality in which we are living today.Anybody can be hacked. Anybody, no matter how smart they are can be, almostanybody can be induced into clicking on a link that will bring ransomware orother malware into their system. The consequences are dire and expensive. Notto frighten anybody, but that's the reality in which we live. The obviousquestion becomes how best to respond. Because I am merely a marketing person, Ihave brought in a heavy hitter to help answer that question. Phil Richards isthe Chief Security Officer at LANDESK. Phil, thanks for joining us today. Gladto have you.

Phil: Good morning Michael. Thanks, everybody. It's good to be here. 

Michael: So Phil, you know the old joke “I'm from the federal government andI'm here to help you?” In this case, it turns out to be true. Tell us a littlebit about the documents that the NSA and other agencies have released recently,and then we'll dive into how to translate those into real responses. 

How to prevent ransomware


Phil: Sure. First of all, about 16 different agencies met together and decidedto give us a document based on their experience on how best to handleransomware. The document was put together pretty quickly by the government bythese different agencies, and they obviously tried to orchestrate a lot ofmaterial in here. As a result, some of the structure that we're going to be talkingabout doesn't really exist in the document per se. The document is a littlemore conversational in tone. But after we reviewed and assessed what's inthere, we decided to put it into a more structured format. So the structurewe're talking about exists, but you have to read into the document, I guess, alittle bit more than anything else.

Michael: So there's a government document designed to help us, but we need helpinterpreting that document because it is, in fact, a government document. 

Phil: Right. As you mentioned Michael, this is prevalent and an issue that'sfacing a lot of industries right now. So these different government agenciesare culling together a lot of data and a lot of information and trying to putthat into a 20-page document, which is pretty challenging under the best ofcircumstances, and really challenging when the sand is shifting under your feetas you're trying to go. 

Michael: It seems that we can divide this into three areas: the user educationarea, the proactive prevention, and business continuity. So Phil, let's look athow you've divided those up into sort of an outline of activities. Can you talka little bit about how you broke this out into the six sub areas?

Phil: Sure. Yeah. And these six are really the backbone of what we're going tobe talking about today. The six items here are really the categories of thespecific items they're suggesting we need to do. And those items roll up intothese categories. The categories aren't really in the docket per se. They dotalk about education and proactive prevention and business continuity. We'll gothrough some of the details behind each one of these and what it means toeducate your staff and what it means to have email hygiene and that sort ofthing. Those items do come directly from the document. 

Michael: Interesting. All right. Let's take our first poll question then. Howwould you rank the importance of these efforts at your enterprise today? I seesome of you eager beavers have already responded to this question. If you havenot, now would be a good time to do so. We see responses shifting so that meansmore responses are coming in. It looks like for many of you, user education isthe number one ransomware effort, but we’ll give you a few more minutes torespond to this poll. In the meantime, let's talk a little bit about usereducation. Phil, why is user education important? 

User education


Phil: Well, there are a bunch of reasons why user education is important. Thefirst is that almost all ransomware does, in fact, originate through the vectorof email phishing. That means most ransomware gets into your environmentbecause somebody clicks on either a link or an executable they received in email.Ninety-five-plus percent of the time, that's the mechanism that's used foraddressing or accessing ransomware. Additionally, oftentimes times you'll beclicking on a website, and that website will, in fact, have been compromisedusing what's known as an exploit kit. An exploit kit is software on acompromised website that will scan your computer looking for vulnerabilities, andit will use those vulnerabilities to get into your computer.

As you mentioned before, ransomware criminals are becoming more and moresophisticated. They are becoming the world's leading experts at socialengineering. I don't know how many folks on this call have seen some of thephishing emails that come about from ransomware, but sometimes they aredevilishly difficult to ascertain that they're not legitimate emails. It isvery, very difficult oftentimes to see those phishing attacks for what they are,because they look to be very cunning and are really enticing to click on. The industrynorms or the industry averages state that the click-through rate for mostorganizations is in excess of 30 percent. That means more than 30 percent ofpeople will do an initial click on an email that is in fact ransomware or somesort of malware. 

All of these things point to the fact that your people need to be educated, andthey need to feel like they really have the ability to understand, decipher,and inoculate themselves from that ransomware. 

Michael: Okay. Well, we see that user education is by far and away the numberone item chosen by our colleagues on today's webinar.

Phil: Actually Mike, just a couple of quick things. First of all, my personalopinion is education is about the most important thing that you can do, aswell. I wanted to tell a quick story about how we're doing education at LANDESKinternally, actually at LANDESK.

Michael: Oh, cool.

Phil: We've partnered with an organization that specializes in actuallycreating email phishing campaigns. What we're doing is, on a quarterly basis,we’re providing phishing emails to our employees. We're actually designingthese emails, we send them out to our employees and find out how effective theyare at deciphering these emails and not clicking on them. Basically, we'regetting our own staff some practice, and we're capturing those metrics. Also,when people do, in fact, click through on an email that has been designed as aphishing email, they receive some relatively quick feedback that says,"This has been a phishing campaign, this was a test and had this been anactual ransomware emails you know, then bad things might have happened, but fornow bad things aren't happening." That kind of thing. 

We're providing some education that way, we're providing some immediatefeedback, and at the same time we're giving people practice and helping ourorganization become more vigilant. The reality is, if they're being vigilantbecause they're worried about me sending them these test emails, they're goingto be equally vigilant against the bad guys who are sending out real ransomwareemails.

Michael: You know, Phil, I have to say it seems to me that you can't do toomuch of this type of user education. It also seems that you can't just set and forget.You can't just do it once and let it go. It seems this is the kind of thing youneed to test early, test often, and get in front of people on an almost regularbasis. Otherwise, this is the kind of thing people will let fall further downthe stack until they stop thinking about it, until the malware gets into thesystem. Is that an accurate read?

Phil: Yeah. I think so. I think what you're trying to do is help your staffrecognize that sometimes the kind of email we're talking about can be verydifficult to view and to ascertain, and to make sure you understand that, infact, it's a bad thing. But that’s really the job, to help everybody on theteam recognize that, or give them the tools so they can become better atrecognizing those things over time.

Michael: Okay. While we've been discussing this, I’ve put another poll up,another poll question. What is the status of user education about ransomwareand IT security at your enterprise?

As you shouldbe able to see, more than half of the respondents say it's only limited at theirenterprises. Almost a quarter of you say there actually is no formal trainingin ransomware or security. You know, if you’ve ever watched that show 24 or any bad spy movie, usually beforesomething blows up, the giant digital timer is counting down. There's a giantdigital timer in your IP infrastructure that's counting down until you gethacked if you aren't doing some user education training about this stuff. Ican't stress that enough. 

But as Phil mentioned, you've got to put information in front of people. I'veseen a number of enterprises where, when people are hired, they get a spielabout IT security and they maybe even get a spiel about ransomware, but that'sit. There's no regular follow-up, there's no regular training, they don't dowhat we're trying to do at LANDESK, which is actually send test emails out topeople and get them on board to understand why this is a big deal. 

I can't stress enough, especially for those of you where user education islimited or there is none, to move forward on this with alacrity because as Philmentioned and as the research out there shows, even CEOs, even CFOs are gettingtricked and duped by some of this phishing. It used to be just regular phishingemails, right? Now they’re more targeted, and they’ve started calling it spearphishing. There are emails that are aimed specifically at CFOs and CEOs, andthey have instructions that say things like, "Hey, CFO, this is your CEOwriting to you. I need you to transfer a million dollars into this accountright away." They call that whaling, because you're going after the whalesof the organization, the highest-level executives. 

Just like in Las Vegas, they call large gamblers whales, so the bad guys arecalling this stuff whaling because they're going after the highest-levelexecutives in your organization. And like Phil mentioned, these people arebecoming masters at social engineering. It's not a matter of well, our peopleare too smart to fall for this. The short response to that is, “No they're not.” 

Phil: Michael, you mentioned whaling, and I think that's an important point.The FBI calls it by a different term. The term they're using is business emailcompromise or BEC. 

Michael: Right.

Phil: As of the beginning of 2016, BEC compromise worldwide had netted close tohalf a billion dollars for the bad guy. It is a significant issue. Many majorfinancial services organizations have been hit and have lost money based onthis. Fortunately, a lot of the checks and balances in the financial servicesindustry have caught a very large number of these attempts and have thwarted thembefore money actually had changed hands. Otherwise, that number would be a lotbigger. 

Email hygiene


Michael: Well, that's an excellent segue into the next subject area we citedfor today, which is email hygiene. Phil, I want you to explain to people whatyou mean by email hygiene and why it's important. While that's going on, I'mgoing to put up another poll about email hygiene. Maybe you could take a coupleof minutes and explain to people what email hygiene is and why it'simportant. 

Phil: You bet. I think this is a pretty key area and, in fact, the governmentbelieves it's a pretty key area, too, because they spent a significant amountof their pages around email hygiene. When we talk about email hygiene, thetypes of activities we're talking about include strong email filtering. That'sthe ability, at the gateway of receiving email, for you to have a multiphasedfilter that phases things based on sender reputation and email content and theexistence of malware in executables in the email, along with, like I said,reputation-based services and that sort of thing. Strong email filtering is animportant part of it.

Additionally toemail hygiene, there is scanning inbound emails for filtering and executables.There's a concept called rewriting URLs or URL rewriting. What that means isbefore it delivers an email message to, for example, Michael here, the gatewaywill rewrite that URL so that it doesn't go directly to the website it wassupposed to go to, but it goes through the email gateway. The email gatewaywill look at that URL and examine it at click time to determine if it's gotmalware. The reason why that's important is because most URLs that have beeninfected are only infected for a short period of time. We've all seen theseURLs that have ad banners along the sides and oftentimes, what is infected is,in fact, those advertising banners. 

A specific website you click on might be infected for five minutes during theday, and it just so happens that you may or may not click on it during thatfive-minute period of time. It's important to assess an email or websitevulnerability at click time, so that's why URL rewriting is important.Additionally, email hygiene includes some basic blocking and tackling such asdisabling macros from being run from email content especially and, like I said,to deliver documents and have a system that detonates executables before itdelivers them. You want an email blocking system that will look at executablesand run them in a virtualized environment, and based on the behavior of thoseexecutables, it will deliver them or not deliver them to you—again, based onthat behavior. 

The question around why this is important—it's important because email is thenumber one vector for delivering ransomware and infecting your infrastructure.As a result, stopping that malware-laden email at the source is the mosteffective way to prevent ransomware from getting into your environment. 

Michael: Well, based on our poll results, more than half of our respondingattendees have some fairly extensive processes in place for filtering and/ordisabling macros. So that's a good thing. The people that worry me are thefolks that only have limited or no formal email hygiene processes in place. I'mhoping that with what Phil has just said about why this is important and whatit consists of, that will change at some of those organizations. But you know,it seems to me Phil, that email hygiene goes hand-in-hand with this next areawe're going to talk about, which is hardening the network. It seems that inaddition to being able to filter out potentially malicious emails and rewriteURLs where it makes sense, it seems to me that's a subset of a larger goal,which is to turn the network into a fortress like the one that's pictured here.Maybe you could talk a little bit about why network hardening is important,what that means exactly, and how we can get to it while I put up a pollquestion about that very topic.

Network hardening


Michael: You bet. One of the things I wanted to cover is actually on thisgraphic. I really love that graphic of the email fortress of the castle. One ofthe reasons why that becomes so valuable is, as you're probably aware, one ofthe things a castle did was keep the bad guys out of the building. But it hadanother purpose, and that was if they did breach one section of the building,the castle fortress was built in such a way that you could contain the breach. Youcould have people, maybe the Huns were getting into one section of the keep,but you could close those big heavy oak doors and lock them and keep the breachcontained to that one area. Really, network hardening is all about containingthat breach.

When ransomwaregets into your environment, one of the first things it's going to do is seekout additional drives and additional network vectors it can use to encryptadditional files. Network hardening is all about keeping that breach containedso the software, the ransomware software, can't get into the other areas ofyour network. This includes things such as using firewalls to block known badIP addresses, and that works through reputation services. It also includescategorizing your data and restricting access to your data based on that dataclassification. People in your organizations who don't need to view yourfinancial services data shouldn't have access to see your financial servicesdata, as an example. The same thing with your HR people, and everything elselike that.

The other partof network hardening is vulnerability assessment and penetration testing. Thewhole idea here is you can't protect yourself against vulnerabilities unlessyou know they're there. You need to be performing assessments of thosevulnerabilities on a fairly regular basis. 

Michael: Is network hardening an IT issue? is it a security issue? is it anoperations issue? Who should be involved in the discussions of networkhardening that need to take place to get it implemented?

Phil: Network hardening as a concept resides in all of those different areas.Network hardening...

Michael: I had a feeling you'd say that.

Phil: Yeah. Network hardening from an implementation standpoint usually belongsto the IT organization. They're responsible for managing the hardware andconfiguration of your network to make sure that you have adequate hardening.The security folks in your organization are obviously really interested indefining and understanding which employees are supposed to have access to whatareas in the network. And then there is a design component where you're tryingto segregate your network so it becomes more manageable to allow certain peopleto have access to certain network segments that might be sensitive or need tobe more secure. 

Michael: It seems to me this is an area ripe for high-level and frequentcollaboration between the IT and security teams and the business teams, becausethe business teams need to help prioritize who needs access to what so the ITand security teams can oversee the management of that access. Is that anaccurate read?

Phil: That's right, Michael. The business teams are critical in helpingdetermine what is required access, what access needs to happen. The easiestthing in the world would be for the IT folks to simply turn off all access toeverything, and then we would never have a problem with security because nobodycould get in. It would be kind of hard to get your job done, however. So therehas to be a balance between those two activities. 

Michael: Okay. Well, it looks like the vast majority, well, it's almost splitin half, but it looks like the majority of our attendees either havecomprehensive or extensive network hardening efforts underway, but a fairnumber of them only have limited and a few of them have no formal networkhardening processes in place. I'm hoping this part of the discussion willmotivate those of you who picked C and D as your answer to replace those withanswers A or and/or B sometime in the near future. 

Philp: I can see, Mike, unequivocally, this is a tough nut to crack. I mean,getting a real solid or consistent network hardening can be very difficult. Butyou don't have to boil the ocean the first time out. You can find some specificareas within your network that might be due to have some additional securityaround them and incorporate some security on a piecemeal basis. That'sperfectly fine, and in fact, it allows you to kind of separate out the areasthat are probably going to be the most important to not get infected byransomware.

System hardening


Michael: Makes sense. Okay, let's move down a level into something that's maybemore doable by more people, which is system hardening. For those of you tooyoung to recognize this, it’s Popeye the Sailor Man, and he used to becomesuper strong when he ate some spinach. So spinach is sort of his system-hardeningmodality. Phil, talk to us about what system hardening means and why it'simportant, while I see if I can get the polls to behave the way I want them to thistime.

Phil: Sure. System hardening is really one of the areas this federal documentaround ransomware spends quite a bit of time talking about, so one of thethings I want to do is review what the document brings out. I think there are somepretty important areas in here. Clearly, one of things they talk about a lot ispatching your environments, patching your operating systems, patching softwareand firmware, and it says they recommend you use a centralized patch managementsystem. Patching is the first line of defense from a system hardeningperspective. One of the things we talked about earlier is the fact that one ofthe ways ransomware gets in, one of the key ways that ransomware gets in is itprobes your laptops and your desktops and your servers in order to findvulnerabilities. Those vulnerabilities are much more difficult to find if yoursystem goes through a regular patch cycle and receives updates, firmwareupdates or software updates. 

Additionally, they talk about antivirus and antimalware programs and conductingregular scans. Unfortunately, a lot of malware still only goes through theregular vectors of well-defined, well-understood viruses and malware, andoftentimes that goes undetected when it could have been detected. One of thethings that we're starting to see a lot more is companies that say, orindividuals within companies who say, "I have an antimalware on my machine,and it didn't detect this ransomware." Upon deeper inspection, oftentimes whatwe find out is that antimalware device was in fact on the machine, but it wasturned off or it hadn't been updated in 18 months or something like that. Moreoften than not, we're finding now that making sure you're conducting regularscans, that your antimalware software is up-to-date and/or has the latest virusdefinitions. It is, in fact, a good way of defending against that kind ofstuff. 

Michael: You know Phil, this is an area fraught with irony from my perspectivebecause you could argue that some of the vendors of antivirus and antimalwaresoftware out there have done too good a job of convincing too many people ofhow easy their tools are to use. A lot of people think that antivirus orantimalware software is a set once and forget kind of thing. That means theyinstall the software, and I've seen individuals I've worked with, not atLANDESK but elsewhere, who've been guilty of the same thing. They install theantivirus software, and they think they're protected, but they don't realizethose things need to get updated on a regular basis. Just because you have itset to automatically update doesn't mean you get to stop paying attention. 

Phil: That's a good point. It's also worth noting that one of the first thingsmost malware does, one of the first things it does when malware gets infectedon your system is it turns off your antimalware device. That right there shouldlet you know that having that on and updated is important, because that's whatthe malware does first, it turns it off.

A few otherthings the document talks about from a system hardening perspective, it saysyou need to manage the use of admin privileges or privileged accounts. When thegovernment says manage the use of privileges and accounts, what they mean isyou need to reduce the use of privileged accounts. This goes to the concept ofleast privileged. Make sure your people have enough authority on their systemsso they can get the job done, but not more authority than they need to gettheir job done. That's an activity on the privilege management side that needsto be done. 

Additionally, they talk about implementing a relatively new term called “softwarerestriction policies” or SRP. This is a brand new field, and Mike, I’m sure, willcover this in a lot more detail, but AppSense, which is a LANDESK product,happens to be very much the market leader in this space. 

Michael: Yeah. Not to get into a commercial at this stage of the presentation,but privileged management and software restrictions are two of the main reasonswhy LANDESK acquired AppSense and why AppSense is now part of the LANDESKfamily—because they are leaders in that space. And it is an important space. AsPhil alluded to, email is not the only way this bad stuff gets into yourenvironment, and so you need as many protections as you can implement. We'lltalk a little bit more about how we can help near the end of today's session, butit's interesting here that more than half of our attendees have some level ofsystem hardening in place. That's a promising thing.

Phil: That's really good. 

Michael: Yeah. That is really good. It's good as far as it goes, you know?There are a whole bunch of things you need to do to protect your network, andthis is one of the most important ones. So I'm glad to see that the numbers arewhere they are on this particular poll question. 

Phil: A couple of additional items under system hardening that the governmentkind of threw in almost like parting shots. They said, "Oh yeah, and bythe way, you should disable remote desktop, and you should do applicationwhitelisting." Both of those things are somewhat difficult to do, and it'sinteresting that they threw them in kind of at the end. They are difficult todo, but doing them is extremely important. Again, application whitelisting is acore competency of LANDESK and AppSense. I'm sure we'll be talking about that alittle bit more. Now let's talk about why this system hardening is important. Thereality is, as Michael mentioned, email isn't the only way for ransomware toget into your system. The best email protection will not be able to protect allyour systems perfectly, and you will still get some things through. As wementioned before, social engineering is getting to be extremely good from thebad guys' perspective. As a result, ransomware will likely get into your systemthrough simply social engineering activities. 

Hardening your systems assures that even when ransomware is loose in yourenvironment, it can't get a toehold, and it can't infect your systems. Many ofthe ransomware variants actually identify and exploit vulnerabilities on thesystems they infect. If you're up-to-date with patching, and if you'repracticing the good system hygiene we discussed in this session, it's unlikelythat ransomware will be able to identify vulnerabilities. It won't be able toget into systems, even if you let it in through your email. 

Michael: Okay. so you've hardened all your systems, you've hardened yournetwork, but now we still got in there. The good news is, if you've backed upyour data, you can minimize the impact. Let's talk a little bit about why databackups are important, beyond what I just said, and what it means to do goodbackups, while I put up a new poll question. 

Data backup


Phil: You bet. And by the way, we're going to talk about backing up data alittle bit more broadly. The first question from the CEO of your company whenyou get hit with ransomware is going to be "Well, we have backups don'twe?" Of course, the immediate answer is "Yeah. We've gotbackups." Then the person who's answering that is thinking in the back oftheir mind, I'm not sure how frequently they've been done, I'm not sure howrecently they've been done, and we haven't tried to restore them anytimerecently. There might be some difficulties in some of those steps. Butanswering those questions is what we're talking about when we talk about backingup data.

Of course youneed to have your data backups being done. You also need to verify theintegrity of those backups and perform test restorations to make sure that yourprocess is working, to make sure that when you need those backups, you canactually go back to them and restore systems.

The other thingyou want to make sure you're doing is securing your backups. You want to makesure the backups are not connected to your computer networks, because the firstthing the ransomware is going to do is reach out and try to touch everything itcan on your network. If your backup is available on the network, it's justgoing to lock that, as well. Then your backups will be just as locked up asyour original files are. You want to make sure you're pulling those backupsfrom a tape, that they're offline, and they're out of your system. Oftentimes,you want to put them in a rotating fashion into a secure storage facility,rather than keeping all of your backups in your local data center. 

There's a process around thiswhole data backup session, and that's really what we're trying to advocatehere. You want to get involved in that process and not just the concept ofbacking up data. 

Michael: You know Phil, when I was a Cali, young, industry analyst in the earlyJurassic period of the 1970s and 80s, I used to visit companies and they’dproudly show us that their backup tapes were stored in the same data centerwhere all their primary computing happened. So I naively asked, "Whathappens if there's an earthquake or a fire." And silence ensued. 

Phil: You know, that's a really good point, Michael. Backups are really part ofyour business continuity and disaster recovery scenario. If you have aparticularly insidious piece of malware or ransomware that is locking up asignificant portion of your system, I would say you're in a businesscontingency situation right there. You need to have those processes in place soyou can recover. Having a backup is just the best way of being able to addressransomware that's already infected your system. It's important that you'repaying attention to that particular piece of it.

Michael: So I would opt for the observation here that you need to apply the Russianproverb Ronald Reagan used to love so very much. Where your backups areconcerned and where in fact, all of your antiransomware process is concerned: trustbut verify.

Phil: Trust but verify. 

Michael: Trust but verify. You can't just put the stuff into place and walkaway from it. You have to test it, and you have to make sure it's working allthe time. And that leads to the final area we're going to talk about today,which is incident response. What happens when there's an incident, and what arethe processes that you have in place to deal with that? Phil, can you talk abit about what incident response is, why it's important, and how we should bedoing it?

Incident response


Phil: Yes. I will, and I actually want to illustrate this with a little bit of astory. My father-in-law, who's in his mid-70s now, called me up in a panic acouple of weeks ago because he received a notification of malware on hiscomputer. Now, the way this malware worked, it was very much a fear-inducingkind of thing. And it turns out his computer actually wasn't infected yet, itwas just a website. He said, "My computer has made noises it never hasbefore, the screen turned completely red, and it flashed." The first thinghe did was check to see if his financial accounts had been accessed. Heimmediately got on his computer and logged into his bank account, which isobviously the exactly wrong behavior. The one thing you don't want to do ifyou're getting infected is start to give the bad guys access to your financialaccounts. 

The point of that story is, if we don't think through the incident processwell, we're likely to get hit by that panic when it happens, and we'll do thewrong thing because we haven't thought through the right steps. The incidentresponse process is all about thinking through the steps you're going to takewhen panic ensues, so you don't have to try to figure it out while you're inpanic mode. 

This document, again we're still talking about this ransomware document fromthe government, it actually provides us about eight steps for a good incidentresponse set of activities. The first one is to isolate, power off infectedsystems. Second is to secure a backup of the data. Third is contact lawenforcement. Then collect and secure all evidence. Number five is changeaccounts passwords and network access. After that it says clean infectedsystems while they are offline. Research recovery options that don't requirepaying a ransom. And the last step they have is do not pay the ransom. 

This might be different from what you heard from different government entitiesin the past, but the consolidated recommendation from these consolidatedagencies is, do not pay the ransom. More often than not, you will be worse offfor having paid the ransom. And it's also a social good to not pay the ransom.The reason why there's so much ransomware is because it's profitable for thebad guys. By not paying the ransom, you're contributing to that being lessprofitable, and there being less of it out in the world. 

Michael: And you know, Phil, I think it's also important to point out thatpaying the ransom does not guarantee the bad guys will give you the keys youneed to de-encrypt all your data, and paying the ransom does not remove themalware from your system.

Phil: You're absolutely right. 

Michael: You may not be buying yourself anything by paying the ransom. 

Phil: Right. In fact, you might be buying yourself a lot more trouble now theyknow there's somebody there who is willing to pay the ransom. We've seencase-after-case where if you pay the ransom, the bad guys will say justkidding, we're actually going to ask for double that amount. So you need to payus twice before we'll decrypt it. And you know, who knows how long they’ll keepyou hanging in that process. 

Michael: As long as you continue to promise to write checks probably is theanswer to that question.

Phil: Exactly. 

Michael: A lot of the organizations represented on the call today probably needto revisit your incident response processes given the poll responses we'reseeing right now. I mean it's the kind of thing where you want to sit down withyour IT and your security and your operations people and work out a detailedplan not only for your incident response, but for testing that incidentresponse on a regular basis and reporting the results of those tests back andusing those results to improve the process over time. 

Phil: Let me just make a recommendation in this space. If you're not sureexactly how to start the incident response process, write down a set of steps,and perform what's known as a tabletop exercise. Get some folks in a room who aregoing to be involved if you have a ransomware activity. Walk through the ransomwarescenario, and discuss how, as a team, you're going to know that ransomware isin your building. How are you going to address all the different kinds ofcommunication activities that need to take place, from the media to the bad guysto your customers to your third-party vendors to your employees. Talk throughall the different kinds of activities you need to go through. The reason whyyou have that tabletop discussion is so everybody in the room starts to get afeel for what their job is going to be when and if ransomware gets into yourenvironment.

Michael: These are the same steps you need to go through for disaster recoveryand business continuity in general. You need to actually walk through what'sgoing to happen if something happens because you don't want people runningaround in a panic when something happens because they have not beenprepared. 

All right. We've gone through the primary areas that Phil outlined in terms ofthe government documents and what they recommend. I'm going to put up one morepoll question here. I'm going to try to anyway if the polling gods are with us.Given all we've talked about, which antiransomware efforts do you expect topursue most aggressively at your enterprise within the next 6 to 12 months? Whileyou're answering that question, I'm going to walk through briefly how LANDESKcan help you fight ransomware and malware and keep your environments moresecure. 

You know, one of the challenges is that a lot of this stuff takes place in silos.You can walk into a typical enterprise and see multiple security efforts, andmultiple antiransomware efforts, and each department has its own securityinitiatives. That's really not the way to go, as you've heard today, and asyou've seen from some of the very poll results you've given us, there is a needto bring the enterprise together and to operationalize security moreeffectively and more consistently across the entire enterprise. 

LANDESK solutions


We believe our solutions help build bridges and knock down those silos and helpyou implement an effective and consistent enterprisewide security environmentwithin your IT infrastructure. We like to say remediation is good andprotection is better, but prevention is sublime. Prevention is what you'retrying to do here. You're trying to prevent ransomware from getting into thesystem in the first place, but you also want to be prepared to deal with it ifit does succeed in getting in. And that requires a coherent, consistent,well-managed effort that spans the entire enterprise and even reaches outbeyond the walls of your IT infrastructure to your outside users and suppliersand your customers. 

We believe our set of offerings does that, and does that by focusing on a fewkey areas. We like to talk about how we help to automate mundane tasks likepatching, so they get done more consistently across more of the enterprise. Andwe like to automate those tasks that often fall through the cracks or sufferfrom what I like to call repetition fatigue. If you let humans do the same taskover and over again, eventually they get tired and they start to slip up. Maybeyou've seen that I Love Lucy episodewith Lucy and Ethel on the candy assembly line. That's an extreme example ofrepetition fatigue. 

The more you can automate the tasks that need to get done regularly, the moreconsistently they'll get done, and the more consistently they'll comply withyour business requirements and any regulatory requirements you may have. Automationis key to improving security in your environment. Beyond automation, it'sconsolidation. Once there is a breach, you can spend an awful lot of timelooking at 87 different screens just to figure out where the breach happenedand what particular equipment has been compromised, if any. By consolidatingsecurity information and consolidating information about your assets and aboutyour infrastructure, our solutions help you get to that root cause more quickly.You can also use consolidation to help you be more proactive in how you managesecurity by bringing together disparate data from across your enterprise aboutwhat security modalities are in place and which ones are not. Automation andconsolidation are critical benefits that we like to say we bring to yourenvironment. 

Beyond consolidation is visualization. The analogy I like to use here is when acat looks out across an expanse, whether it's your cat at home looking acrossyour living room carpet or a leopard out in the veldt somewhere, when a catlooks out into an expanse, that which is moving is in sharp relief compared tothat which is still. The reason for that is if it's moving, it could be apredator, it could be a meal. In either case, those things are more importantto the cat than anything else it's looking at. We like to use visualization inthat same way. We take that consolidated information and present it in waysthat are easy to assimilate, easy to understand, and easier and faster to actupon, so executives can see information like the report you're looking at. Now,maybe the sys admins get a more granular view of what's going on, so they knowwhere to focus their efforts. 

Beyond visualization is personalization. We have solutions like LANDESKworkspaces for the security admin, LANDESK workspaces for the end user. Each ofthese takes visualization to another level and helps to present informationthat's tailored to the role. People only see what they need to care about inthe order in which they care about it, so they know what they need to donext. 

Those are the four technology areas that we focus on. As we talked aboutearlier, one of the things we've done is acquire the AppSense team because webelieve that if you can patch and you can manage privileges and you can do thosebasic things on a regular basis, you can mightily improve your security ingeneral and your resistance to threats like ransomware. Our portfolio ofproducts is designed specifically to help you do that in a consolidated way. That'swhy we focus on security across all of the products we sell. Asset Management,Service Management, Endpoint Management, all of these things have securityelements built into them. LANDESK security suite and our Shavlik line ofproducts—all of those products are designed to help you be more secure, andthey're based on technologies that are proven and consistent and driven bycustomer needs.

I like to tell people, "We don't do everythingwell, but the things we do well, we do really, really well.” The things we doless well, we interoperate with other people's solutions. If you have tools inplace for things like antivirus, or if you have vulnerability testers in place,we can interoperate with the stuff you have and increase its business value byimproving the security of your overall environment. It's not just products. Wehave partners out there, we offer services, we have a vibrant user community.As you can tell from the webinar you've just sat and listened to, we have somepretty smart people on our team. We can make those people available to you inwhatever way is appropriate to help make your environment more secure. 

I'm a security product marketing manager, so naturally, I'm focused onsecurity. But it's not just security, we do service management, employmentmanagement, all those things I mentioned. We also have this ecosystemsupporting all of those efforts around the world. I just want to say, Australiahas its equivalent of the NSA, one of the agencies that produced the documentsPhil was talking about. This is what they say, "If you can implementwhitelisting and timely, consistent patching of your applications in operatingsystems and restriction of administrative privileges, you can prevent up to 85percent of targeted attacks." We help you do all four of these things plusmore. And we bring to these efforts that automation, consolidation,visualization, and personalization that I mentioned earlier. We can help makeyour environment more secure and do it without disrupting your businessoperations or impeding user productivity. That's what our focus is when we talkabout IT security and fighting against ransomware. 

Oh, and one other thing to keep in mind. Dan Lutter is one of our smartest,savviest, most active users. He's on our product advisory committee and ourenterprise customer council. He said this at our interchange conference thisyear, and it's true. "Security is too big an issue to be left up to yourIT people or your security people alone. Everybody works in security now."That's why user education is important. That's why all of these other effortsare important, because security affects everybody. If your environment is notsecure, you can't rely upon it, and your customers and partners can't rely onyour organization. Everybody works in security now. 

So with that in mind, if you want to talk security, you should be talking tous. We're almost at the top of the hour, so to not impede upon your day, I'mgoing to forgo the Q&A portion of today's session. If you have questionsand you submitted them, we'll get to them via email. You will be getting a copyof the recording. You'll be getting a link to the recorded version of thiswithin the next few days via email. 

So thanks, Phil. It's been really great having you on the webinar today. Ireally appreciate your expertise and your enthusiasm. And thanks everybody, forattending today. Thanks for taking time out of your busy day to join us, and welook forward to having you at the next LANDESK webinar. You can see informationabout our upcoming webinars at LANDESK.com/webinar. Thanks, everybody, have aproductive and profitable day.