The most notorious threats today are defined primarily by the epidemic of ransomware. Despite the best efforts of security technologies, new ransomware variants continue to evade firewall and antivirus defenses. While federal agencies have primarily survived these attacks after implementing various policies and systems to prevent attacks and communicate about vulnerabilities, they aren’t impenetrable and there’s still more to be done to protect their data.
Federal agencies (and other organizations) are continually advised to include thorough plans for data backup and restoration as a component of anti-ransomware strategies, in addition to provisions that rapidly keep software patched and antivirus definitions updated.
Still, many agencies face a real issue of whether the restoration of their critical data is worth the ransom payment. Government agencies and security professionals continue to advise against paying ransom as a disincentive to malware authors. However, some agencies under extreme pressure as the clock ticks down and data restoration is uncertain, will opt to pay. Readiness in dealing with a ransomware infection generally determines how an agency under attack responds.
Recently, the managers of Mecklenburg, North Carolina refused to pay a $23,000 ransom from a ransomware infection that impacted systems for the county’s tax assessor’s office, Social Services Department and the Department of Parks and Recreation. Mecklenburg is also home to Charlotte, North Carolina’s most populous city. The county manager expressed confidence in his ability to restore critical systems from backup — and refused to meet the attacker’s demands. According to an SC Magazine article on Dec. 12, 16 applications affecting the Department of Social Services, Criminal Justice Services, payroll processing and Public Health had been restored by the county’s IT department using backup files yet “several county system still remain affected and the county does not know when all systems will be back online.”
On the other hand, in September, Montgomery County, Alabama, elected to pay a ransom of between $40,000 and $50,000 in the face of losing up to an estimated $5 million worth of data. County officials attempted to restore some systems but found the task too large to accomplish in the deadline stipulated by the ransomware intruders. The Montgomery County Commission chairman reportedly said, “You don’t think about these things till they happen.”
It is unclear from public reports how much damage was done — or averted — in the case of either county networks, or what the state of their antivirus defenses were. Yet the infection occurred and a decision needed to be made based on knowledge of their ability to respond.
In both these cases, a data backup process existed. However, the confidence level in adequately restoring differed greatly. One can only imagine that in each case the decision to pay or avoid the ransom was not made easily. There is no guarantee that a ransom payment will ensure the restoration of data.
One critical lesson comes out of these episodes. Everyone needs to think about worst-case incidents— and conduct regular audits and testing to see if backup systems can restore critical data, including the most recent data.
Now is the time to think about these things.
To prepare for a comprehensive response to a ransomware infection, every organization must start by assessing what data they have, where it is stored and how critical is it if lost.
As we know, much of this was mandated for federal agencies in 2015 under President Barack Obama with the Cybersecurity Strategy and Implementation Plan (CSIP) following the Office of Personnel Management (OPM) data breach, which still stands as one of the largest federal data breaches ever reported.
For larger agencies, managing this data can be an enormous task. If critical data is stored in too many locations, it is time to reorganize your agency, perhaps consolidating where possible and reducing the footprint that will make restoration somewhat easier.
Once a data inventory is made, it is easier then to plan a backup strategy. Some data may need more frequent backups than other data. An assessment of the value of your data, if lost, will help determine the frequency of backups. Your backups should be automated and stored separately from your network to prevent its loss — typically in an off-site location.
But that’s not enough. After you’ve backed up your data, test your data restoration with a detailed procedure so that when emergencies occur, there is reduced time for uncertainty or guesswork.
Lastly, monitor your backups and other security logs to ensure your backup automation process isn’t compromised. Even the most well-planned backup strategy and testing can be broken by unexpected means. For example, as recently described by a security researcher on Twitter (@VessOnSecurity), a well-organized data backup process was broken by an antivirus false positive detection, which deleted the automation script performing a database backup. The result of this unnoticed or uncorrelated security alert was that a month of data backups were lost. An otherwise effective backup plan was thwarted by a deleted script.
Now is the time to inventory your data and plan a data recovery strategy before a ransomware infection disrupts your agency.
Patrick Knight is a senior director of cyber strategy and technology at Veriato.