Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: professional services firms are now ransomware’s #1 target, another survey confirms that remote working is here to stay, and why good is better than perfect when designing security controls
This week’s action: Remote Desktop Protocol (RDP): Search for it in your firm, and remove or protect it.
THREE ARTICLES
- Professional services firms are the #1 target for ransomware gangs.
Coveware’s ransomware report for Q1 2021 points out the increasing number of professional services firms getting attacked by ransomware. They were victims in almost 25% of attacks in Q1 2021. Law firms in particularly seem to be an increasing cohort. It suggests a number of reasons for this: A law firm will maximise profit distribution to partners and thus reduce the investment available for cybersecurity defences; And a law firm’s clients may not be particularly large, so they may not demand evidence of the firm’s security measures in the way a larger, more sophisticated client would. As a result, “there is minimal internal or external market pressure to prioritise cyber security”.
Read more: https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound [Thanks to Rob Allen at Threat Locker for sharing this article on LinkedIn].
- Ransomware works because it takes advantage of our emotions
“Ransomware attacks are effective because they prey on one thing technology cannot protect: emotions. [..] Invoking emotions that drive people to react right away [..] are critical. [..] You can still be a victim if you stay cool, but keeping your cool allows you to respond and recover better. [..] These attackers [also] prey on the fear of loss. [..] A malicious actor can [increase] the payoff of their ransomware attacks through extortion [..] The psychological evolution suddenly goes beyond the fear of loss. Instead, you have the fear of embarrassment, as well. If you can’t be manipulated — via phishing, instant messages or some other vector , [..] you are in a good position to stop ransomware.”
Read more: https://securityintelligence.com/articles/ransomware-attacks-2021-information-meets-emotion/ via https://securethevillage.org
- Managing risk through choices rather than edicts
I recently read an interview with the ex-CISO of Intel, Malcom Harkins, on how those responsible for information security or risk management need to understand their role as ‘architects of choice’. From his perspective, he thinks it’s important to recognise that we do not have full control (but no-one does). While some decisions are ours to make, others can only be influenced in the right direction. It’s also important to recognise that security control is an illusion if the controls are so restrictive that people will just find ways around them. It will result in the firm still being exposed to the risk but also now having pain-in-the-ass controls that an auditor will beat us over the head with. In my experience, it’s always a struggle for the information security / risk manager to step back from insisting on the perfect control. But there is a clear need to focus instead on pragmatic controls that will actually be effective in the real world. Good is better than perfect: Perfect takes too long and is probably impossible to implement. [Bonus: The Kindle version of Malcom’s book seems to be free at the moment on Amazon.]
Read more: https://www.raincapital.vc/blog/2020/8/13/the-ciso-as-a-choice-architect-a-conversation-with-malcolm-harkins via https://securethevillage.org
TWO STATISTICS
- 34%: In a survey of 250 Irish companies, only 34% expect staff to work in the office full-time in future. 22% expect staff to work remotely on a permanent basis. The final 44% expect a hybrid of office and remote work (with the vast majority of these expecting remote work at least 2 days per week). Key point: To reiterate what many others have been saying for months, remote working and remote access are here to stay. If your security strategy assumes your data, systems and people are in your controlled office environments, or if you regard Covid-related remote working as a temporary blip, you need to rethink your strategy.
(Reference: https://www.rte.ie/news/business/2021/0302/1200292-34-will-return-to-office-full-time-post-pandemic/ via https://irelandtogether.ie/ ) - 68.1%: 68.1% of ransomware victims in Q1 2021 were firms with 11 – 1,000 employees. Half of these firms had no more than 100 employees. “Ransomware attacks still disproportionately affect small businesses. These small companies rarely end up in the headlines and often don’t have the financial or technical expertise to properly handle the incident OR perform the proper remediation required to prevent a repeat attack.”
(Reference: https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound )
ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.
- Ask about RDP in your firm: While phishing emails continue to be a primary means for cybercriminals to get into an organisation, access via RDP (Remote Desktop Protocol) is also very common. According to the Coveware report that I referenced earlier, it was the most common access path used in ransomware attacks during Q1 2021. RDP has been used since the 1990’s as a way to access systems remotely. It was a very common way for IT MSPs to support a large number of clients remotely. There are more secure ways to do this now, but many of these RDP ‘doorways’ remain open to attack. You need to ensure there are no such doorways in your firm. Coveware have more advice about what RDP is, and how to secure it: https://www.coveware.com/blog/dont-become-a-ransomware-target-secure-rdp. TL; DR: It is no shock to reveal that Two Factor Authentication is one of the recommended defensive measures.