In the wake of last week’s ransomware attack on Lincolnshire County Council, Des Ward looks how public bodies should respond.
The reports of a cyber attack against Lincolnshire County Council over the past week have highlighted a technique used to encrypt data on a computer and then demand payment to unlock it again. This isn’t the first high-profile use of this technique within the public sector; MP Chi Onwurah had her parliamentary account affected in late 2015.
The impact of these attacks are often discounted and the value demanded often determines the seriousness; but, with 300 systems affected in Lincolnshire County Council and their frontline services having to resort to paper, the impact can be far beyond the money demanded.
Unfortunately, it is becoming increasingly common for criminals to use this technique, commonly called ‘ransomware’. So, what can you do to prevent your organisation becoming the next extortion victim?
The rise of ransomware
Ransomware has been a technique by criminals since 2006, but it has gained popularity through the existence of software that automates the process to the extent that very little skill is required to execute the attack at all.
Ransomware is often deployed using malware that exploits a weakness in the application or operating system software on a device to install, run and encrypt the files.
Mitigating against ransomware
It would, therefore, be logical to assume that a good anti-malware solution can be used to detect these attacks and prevent against them; but as the Lincolnshire Country Council example shows, their protection software didn’t pick it up. This is likely to have been because malware is fighting a constant battle to bypass the signatures within the anti-virus software installed within organisations. So what can you do about this to reduce both the likelihood and impact of this happening?
Make sure that you deploy patches and updates to software regularly, including application software. A good starting point is to subscribe to alerts and notifications from the vendors, although if you have a link to an advisory organisation (such as a WARP within the public sector) then this can be useful to understand when weaknesses are being exploited.
There is good guidance within the Public Services Network Code of Connection (PSN CoCo). Also, it is recommended that you agree timescales for application of patches with any suppliers you have.
Disable functionality that isn’t required
Some malware installs itself using features within applications (e.g. macros and Visual Basic) that you don’t require, at least for most users. Always ensure that software is configured in a manner that disables features that you don’t need.
It is also useful to set your email software to view plain-text by default as this highlights a lot of the spam emails (through the areas discussed below).
It’s also recommended to ensure that administrator accounts aren’t used for daily tasks, use normal user accounts instead and run another account for special tasks (this can prevent malware being installed in some cases).
Keep anti-malware updated
Of course, you should be looking to ensure that anti-malware software is kept updated, with attacks changing every day I’d always recommend looking to deploy signatures every 24 hours. That said, you need software that doesn’t just rely on signatures (i.e. matches against known attacks) but looks at what’s happening as well (also called heuristics). This approach will provide more effective protection.
You should also note that anti-malware will not provide long-term protection against unpatched weaknesses due to the nature of the changing techniques being used.
Ransomware usually requires someone to do something (i.e. click on a link or attachment), so it’s important to ensure that your users think about the email they have received.
Typically, there are tell-tale signs such as:
- the web address being wrong – hover over the link or right-click and view the source to see if the link matches the text in the email;
- the language used in the email being incorrect, with spelling mistakes;
- information that you would usually expect in the email being said to be in an attachment;
- the email coming from someone you haven’t heard of;
- the email demanding that something happens urgently.
More guidance is available on Get Safe Online.
Have a good business continuity strategy
It’s tempting to treat this as a solely technical issue, yet it is easier to ensure that you have a sound, tested business continuity plan that caters for your business when you don’t have access to systems or data.
This plan should identify how much data you can lose access to before it presents an issue to the business processes, which should ensure that you backup information that is critical to maintaining your operations.
Testing this plan is crucial to ensure that you can get it back when required to maintain delivery of services, which is a legal obligation under the Civil Contingencies Act 2004 for both the public sector and its suppliers.
Des Ward is director and Information Governance specialist at public sector supplier body Innopsis