Security

How Agencies Can Cope Amid a Perfect Storm for Ransomware Attacks

Comprehensive disaster recovery and business continuity architectures can help assess the risks and potential threats.

Steve Grewal is vice president and CTO of public sector at Cohesity, a leader in next-generation data management. He has more than 15 years of experience leading IT in government agencies. He served as deputy CIO for the General Services Administration and was CIO, CTO and CISO at the Education Department.

Malicious hackers are almost always on the prowl and constantly searching for their next ransomware victim. Unfortunately, the global health crisis did not change this. In fact, it may have made the situation worse.

As many federal agencies and public sector organizations moved quickly to a remote work model, the number of entry points for potential attacks increased.

Despite this nearly perfect storm, the public sector cannot endure downtime — especially when it impacts essential services on which citizens rely. With the rapid evolution and proliferation of ransomware attacks, it’s becoming increasingly important for federal agencies and public sector organizations to take modern approaches to stay one step ahead of the bad guys.

Risk Factors That Makes Federal Agencies Bigger Targets

There are a number of risk factors for a ransomware attack against federal agencies and public sector organizations, including the following:

Lack of education and training: Many ransomware attacks begin with phishing or human errors. Properly training your workers so they know what to look for can prevent employees and their organizations from unknowingly allowing an attacker to gain access.
Sprawling and complex infrastructure: Organizations with increasingly intricate infrastructure will continue to be targeted if they don’t adequately manage and track their infrastructure. Scanning backup systems as well as production data for exposures, permissions and configuration issues must be a key pillar of any organization’s data protection strategy.
Lax security policies: Just one slip can lead to an attack and cause chaos. Organizations and teams should never click on unverified links, open untrusted email attachments, give out personal data or use unfamiliar USB drives. They should also download only from sites that are trusted and use a VPN when connected to public Wi-Fi.

A Viable Recovery Option Is Not Paying the Ransom

The FBI has said it doesn't advocate paying a ransom in ransomware attacks, in part because it doesn’t guarantee the organization will regain access to its data. In fact, most organizations refuse to pay, but if they don’t have the processes and capabilities in place to fully recover their data, an attack can cripple essential services and force an organization to resort to manual operation for days, weeks and possibly even months.

The effects of such disruptions could have even greater implications during a time when more people across the country depend on these services.

To minimize damage, organizations should implement a predefined workflow so everyone knows their roles and responsibilities in the event of an attack. This allows teams to react quickly and in a coordinated manner.

Comprehensive disaster recovery and business continuity architectures can help assess the risks and potential threats. With a thorough plan in place, government agencies can continue operations and protect and retain pertinent information. This typically involves a three-pronged approach:

Prevent: Key preventative measures include time-based immutable snapshots of backup data, multifactor authentication and the ability for security officers to “lock” copies of backup data — even so other internal staff members can’t modify or delete them. This sort of data isolation provides an additional layer of defense against ransomware.

Detect: If an attacker does manage to wreak havoc, sounding the alarm as quickly as possible is vital. Backup solutions should employ anomaly detection technology powered by machine learning in order to determine when the breached file’s data-change rate breaks its usual patterns. If and when this happens, an alert should go out to the IT administrator as well as a third-party support team to help contain the attack.

Recover: A rapid recovery plan should use recommendations driven by machine learning to identify which clean data to recover and provide the ability to restore at scale, both on-premises and across multicloud environments. All of these measures can play a critical role in minimizing the damage caused by a ransomware attack.

How to Restore Systems Without Compromising Data

Organizations should have backup solutions that can limit the damage from cyberthreats, even after an attacker has gained access, such as an immutable file system and WORM (write once, read many) storage. These measures are key to bringing organizations back online as quickly as possible.

With organizations and teams working on a more distributed basis during the coronavirus crisis, ransomware will continue to be a top security threat. Federal agencies store huge amounts of sensitive data, which makes them a major target for attackers. And the stakes are high, considering economies and vital public services are tied to the ability to access data.

If a cybercriminal is able to block access to massive amounts of data generated, collected and owned by government agencies, it could disrupt all citizen-facing services — the effects of which would be felt now more than ever.

WhataWin/Getty Images