By: Tony DePrato | Follow me on Twitter @tdeprato
On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. This type of malicious attack is classified as ransomeware.
The ransomeware concept is fairly simple. Once the package infects a system, it begins to encrypt all the data. The data is still on the machine, but it is not accessible unless the user enters a decryption key. In order to obtain the key, money must be sent to the “owner” of the ransomeware. Usually this money is requested in the form of cryptocurrency, to make it difficult (if not impossible) to trace the payment.
Ransomeware Targets Everyone
Schools often believe that certain security measures and protocols followed in the corporate world do not apply to them. There is often a consensus on-campus that technology needs to be friendly and open. Because of this cultural approach to planning technology many rules and regulations are simply not followed, especially if those rules and regulations are designed for extreme scenarios.
For example, it would be odd to find a school that did not have user managed passwords for email. When users get their email account, they change and manage their own password. However, if someone recommends that school personnel setup multistep authentication, that expires every thirty days, that recommendation is probably going to be rejected. Any multistep authentication process requires that users learn more about security and manage security more regularly. If a user makes a mistake, the delay for resetting their services is often considered unacceptable.
IT policies and procedures that would prevent a school from being a victim of ransomeware, or other sophisticated attacks, are going to be policies that create barriers and limits. These measures would slow people down at times, and restrict certain types of technology from being used on-campus.
Managing network and data security is a discipline that must be followed regardless of an organizational mission or definition. Best practice scenarios need to be studied as universal best practice scenarios. Studying best practice scenarios for only a single type of organization (like a K-12 International School) limits exposure to case-studies, creative ideas, and threat assessment.
Ransomeware Prevention and Protection
Investing money and IT security planning have something in common. If a person makes a future decision, strictly on past performance, they are very likely to be investing in a plan that is expensive with lower future yield. IT security threats work because they are original, and because a purchasable defensive solution was not available at the time of the threat.
Many organizations make the mistake of preparing for the future by buying protection for a threat that is no longer unique. This is useful if the threat resurfaces, but it is useless against new threats.
If an organization truly wants to be well prepared for ransomeware threats, everyone in the organization should be able to answer ‘Yes’ to this statement:
“I can take my laptop/desktop/primary device and throw it away right now without severely impacting my work or life.”
Answering ‘Yes’ to that statement means that a person understands the data is more important than the machine is resides on. Just like investing in retirement, only diversification will save someone during a new and aggressive IT security threat.
There are numerous ways to achieve a high level of data diversity and redundancy. Here are a few that can be implemented with policy and practice:
- The standard for file storage should be in the cloud.
- Do not use SYNC software such as Google Drive Sync or OneDrive sync.
- Laptops given to staff and students should have very small hard drives to discourage hoarding data and storing old files.
- Weekly or Monthly archiving of data should not be in the same environment as data for daily work. For example, I use Google Drive everyday for work, but once a month I backup the important data to DropBox. The larger archives are for emergencies, and held within a different environment.
- Offline backups on external drives are good, but hardware can fail. Consider what data is critical and make sure the offline backup is not the primary copy.
- Systems like TimeMachine can actually corrupt data if they are backing-up automatically. Consider manually initiating backups, only after you have scanned your machine/servers for malware.
- Photos and media can be challenging to keep organized in the cloud. Services like Google Photos, Instagram, etc. are designed for media. Use media centric services to manage media.
- Email is not for data storage. If email is compromised, the communication threads should be all that is lost.
- Schools using local network shared drives and NAS systems (Synology etc.) need to be restrictive and vigilant with permissions. If these services have been planned with “Ease of Use” as the driving force, they are at risk of being turned into an engine that will rapidly spread a threat.
- Limit non-cloud based data sharing to special groups or departments to reduce the need to constantly update and patch these systems.
A final note to those who are making and enforcing policy. A single human vector who introduces one of these threats onto a network can create a cascade of destruction. Allowing anyone to circumvent a policy because of their title or position is placing everyone at risk.