What Is (and Is Not) in the White House’s Memo on Ransomware Protection
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
In May 2021, the White House released the Executive Order on Improving the Nation’s Cybersecurity. This order now has nearly every government agency, and their directors, very busy implementing controls to better their cybersecurity posture.
The three weeks after that order was issued were very eventful; the East Coast suffered from fuel shortages in the fallout of the Colonial Pipeline attack and Colonial paid an estimated $4.4 to their attackers, we learned that CNA Insurance paid a massive $40M ransom, and JBS’ meat-packing operations were halted in yet another attack.
After all of that, on June 2, the White House issued a memo to Corporate Executives and Business Leaders urging us all to take steps to combat ransomware and protect against attacks. Many of the suggestions came directly from the earlier Executive Order and include good advice for businesses.
In addition to pointing out that the “private sector has a critical responsibility to protect against these threats,” the memo spells out some concrete actions. Some of those include:
- Implement multifactor authentication (MFA): The most devastating attacks rely on compromised credentials at some point. MFA closes the door on that attack vector.
- Encrypt data at rest and in motion: Encrypted data is useless to the attackers that steal it.
- Take advantage of endpoint detection and response products to see and react to an attack.
- Have a skilled, empowered security team: Whether it is internal or outsourced, somebody needs to be watching your environment.
- Backup everything and test those backups; without them, you cannot recover from an attack.
- Test your incident response (IR) plan. If you do not have one, make one – and test it to be sure it works.
- Use penetration tests to check your work. Penetration tests give you a hacker’s view of your organization. Do you like what the criminals see when they look at your organization?
What Isn’t in There?
Both documents cover a lot of ground, but there are a few notable items that are missing.
The most significant missing item is User Awareness Training. Our employees are the front lines of these criminal attacks. Unless we give them the ability to be appropriately suspicious and, most importantly, what to do with their suspicions, we cannot expect them to be the first line of defense.
Since email is the initial attack vector for most attacks, a good email protection platform is critical, yet that is not mentioned either. Similarly, a secure web gateway or other web filtering tool would add another important layer of protection.
While the memo does encourage penetration testing, going a step further and adding continuous vulnerability management would help to make sure you stay secure between those penetration tests.
The memo could have gone a step further with their comments on encryption. Whole-disk encryption would align with the memo, but it may not be the best solution as any compromised credential with access to the disk would have access to the data on that disk. A better approach would be to thoroughly understand your data, as well as where it resides, and take appropriate steps to lock down the permissions to that data and encrypt where appropriate – at the file level.
It’s Up to Each of Us
We have a responsibility to our organizations, stakeholders and shareholders to do better at protecting against ransomware and other cyber-crimes. By adopting a sound cybersecurity strategy and implementing the right controls in the right places, we can slow the pace of attacks. Unless we all do what is needed to make ransomware and other cyber-crime unprofitable, we will never be free from their grasp.