Want to stop ransomware cold?

The Hits Just Keep-On Coming. The NCUA recently issued a statement warning of increasing cyber security vulnerabilities for credit unions and other financial services market participants, regarding ransomware, malware, phishing attacks, and supply chain attacks.

And just this past month, we watched as a ransomware attack on a major pipeline vendor generated panic throughout the mid-Atlantic and “got attention” at the most senior levels of government.  

So, once again, ransomware is “in the news”, and for good reason. Whether it’s WannaCry in 2017, or SamSam in 2018, or Ryuk in both 2019 and 2020, ransomware is one of the most common and devastating threats to organizations of all sizes. And with the SolarWinds and Colonial Pipeline events, we can see that ransomware continues to grow in strength, posing a threat to networks around the world. For credit unions, you are neither immune from the threat, nor forgotten by the criminals who deliver malware in search of ransom. But is ransomware the problem, or just one of the most painful symptoms of our cyber security failing?

Follow the Advice of Gene Krantz — Start Working the Problem. But what is the problem?

Sometimes ransomware works to prevent a user or network of users from accessing their laptops, desktops, or servers until a monetary amount is paid to the owner of the ransomware. Other times, ransomware includes malware that has the potential to lock-up or destroy data, unless reversed. It can infect your computer in many different ways, including malicious spam that often includes an attachment – in the form of a PDF or Word document containing executable malware when opened. Ransomware is often delivered via email using social engineering to trick users into opening attachments or clicking specific links.

But no matter its delivery method, ransomware can be devastating; and because it is growing in number and ability to do harm, we rightly focus time and resource on combating it; but are we really working the problem when our efforts and purchased solutions are focused on:

1. blocking malware we already know about (the typical anti-virus approach), or 
2. finding malware and stopping it after it executes, but before it can do irreparable damage (we hope), or 
3. cleaning up the damage done or paying off the bad guys who delivered the malware?

Is Ransomware the Problem? Or is it our failure to deploy a zero-trust security model and our failure to demand hardened applications on our endpoints?

The zero-trust model posits devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN, and even if they were previously verified. In most modern enterprise environments, networks consist of many interconnected segments, cloud services and infrastructure, connections to remote and mobile environments, and even connections to non-conventional IT, such as IoT devices. But this traditional approach of trusting devices within a corporate perimeter, or devices connected to it, makes less sense in highly diverse and distributed environments. 

The zero-trust approach calls for mutual authentication, including checking the identity and integrity of devices at all locations, and providing access to applications and services based on the confidence of device identity and device health in combination with user authentication. 

Zero trust, to me, is the answer to the real problem revealed by ransomware and other forms of malware. It is the answer to the problem posed by the question “how do I secure my environment from unauthorized users and processes?” But zero-trust will not succeed fully if organizations do not demand hardened applications on endpoints, applications that will not allow unauthorized processes to run. 

Remember, the most insidious forms of malware/ransomware are deployed against organizations via executable code that mimics or hides inside the application or applications they hijack to enter and move undetected within the network environment until it’s too late to stop the damage. If we don’t stop this behavior, we cannot fully embrace the zero-trust model, and we cannot fully focus on the problem ransomware reveals.

To work the problem, we must address unauthorized processes running on endpoints to insert malware into networks. We need a game changing solution for application hardening. We need a solution that can ensure applications DO NOT RUN unauthorized, unverified, processes or we will never achieve the zero-trust security model necessary to ensure our networks can grow and evolve while protecting us from malware and the bad guys who create and deploy it. We need to STOP GUESSING and START WORKING THE PROBLEM.