To protect against ransomware, secure your entire web attack surface
Knowing and minimizing your web attack surface is critical to reduce the risk of ransomware attacks. This article runs through the main ransomware types and presents best practices for closing off attack avenues to malicious actors.
Your Information will be kept private.
Your Information will be kept private.
Key takeaways
- A successful ransomware attack can cripple an organization, bringing productivity to a halt while also harming its reputation and bottom line.
- The risk of a ransomware attack increases as the web attack surface increases – and for most organizations, the attack surface grows without anyone noticing.
- Steps that can help to prevent ransomware include running less code, monitoring network activity, and updating software and hardware regularly.
Ransomware is a type of malware in which an attacker gains access to a computer system, encrypts data, and demands a ransom payment to restore the victim’s access to their data. It’s an increasingly popular attack method: According to the latest IBM Cost of a Data Breach Report, ransomware made up 11% of all breaches in 2022, compared to less than 8% in 2021. It’s also hugely effective, as today’s organizations are exposing too much of their data to the outside world. Because data is the crucial bargaining chip, some attackers are now skipping the encryption step and simply threatening to leak sensitive information.
Let’s look at some general strategies to protect against ransomware and improve overall cybersecurity by reducing the attack surface that’s exposed on the web.
The main types of ransomware
There are several types of ransomware, each with varying levels of risk. Four common examples are described below.
- Crypto ransomware gains access to a computer or shared network, encrypts files, and demands a ransom payment in exchange for a decryption key.
- Leakware attacks gain access to data – often sensitive personal or corporate information – and threaten to expose it unless a ransom is paid. This makes it a greater risk than other forms of ransomware.
- A screen lock attack will block access to a computer or device unless a ransom is paid, but it usually doesn’t go to the level of targeting data directly.
- Distributed denial-of-service (DDoS) ransomware attacks, which aim to hit servers with enough connection requests to render them unusable, can be effective but require significant resources that many attackers don’t have.
The risk of ransomware
A ransomware attack can have serious operational consequences. When employees can’t access computers or networks, productivity grinds to a halt. In the case of organizations such as hospitals, human lives and well-being could be at stake. (A Ponemon Institute survey found that more than 60% of hospitals hit with ransomware attacks are forced to delay necessary medical procedures and tests.)
Ransomware also comes with a financial cost. IBM concluded that the average cost of detecting and mitigating a ransomware attack exceeds $4.5 million. The cost climbs above $5.1 million for organizations that don’t pay the ransom.
There’s also the reputational risk to consider. As a customer, would you want to do business with an organization that was hit with a ransomware attack? Would you trust them with your personal or financial information? Probably not.
The challenge of protecting against ransomware
One of the biggest reasons that today’s organizations are so susceptible to ransomware is the size of their web attack surface. The National Institute of Standards and Technology defines an attack surface as “the set of points on the boundary of a system (…) where an attacker can try to enter, cause an effect on, or extract data from that system.”
When it comes to ransomware, there are typically three attack surfaces:
- The digital attack surface, which is all the software connected to an organization’s network.
- The physical attack surface, which is all the endpoint devices that attackers can get their hands on
- The human attack surface targeted through social engineering, which consists of email phishing, physical security bypasses, and other tactics that exploit human nature as a way to gain access to off-limits systems and install malware
For a typical organization, the web attack surface only grows over time. Every time a new employee is granted access to a web application, a new device is used to log in to the app, a new plug-in or service is connected to the app, or a new sensor starts sharing data with the app, the attack surface grows.
Sometimes, IT and security teams can reduce the web attack surface by limiting which applications are used by which users. For example, most organizations have clear policies and procedures for determining access and privileges for new hires, or for approving the use of new web applications or cloud-based services company-wide.
In other cases, though, the attack surface grows without anyone knowing. An executive might use a personal phone or tablet to access corporate systems. A development team might move a production application to a different cloud service provider. A sales manager might install a plug-in for a customer relationship management app without getting IT approval first.
When this happens, the risk of a ransomware attack increases for two reasons. One is volume, as there are now more network endpoints to manage. The other is visibility, as these endpoints are furthest from the eyes and ears of the IT department. They’re unlikely to be behind the corporate firewall or protected by commonly used security tools such as antivirus software. On top of that, if one of these “invisible” endpoints is targeted in an attack, it could be weeks or even months before IT and security staff detect it – which will drive up mitigation costs.
Secure the web attack surface to minimize ransomware risk
One of the best ways to protect against ransomware is to shrink the web attack surface. This involves taking steps such as minimizing the number of exposed endpoints, securing network gateways, ensuring systems as well as access policies are up to date, and helping employees know what to look for. What’s more, the actions described below have the additional benefit of protecting against other types of cyberattacks as well, including those caused by human error, attacks on business partners, or IT failures.
Here are eight ransomware prevention best practices to consider for your organization.
- Harden authentication. Strong passwords should be the bare minimum. Single sign-on (SSO), multi-factor authentication (MFA), and zero-trust policies all help to ensure that only authorized accounts can access applications – and that they can only access exactly what they need.
- Eliminate complexity. Conduct a network audit and remove any software, hardware, or ports that are no longer in use or otherwise unnecessary. Do a similar audit of software applications to turn off unnecessary features or decommission unused software; these steps reduce the amount of code that’s running, which also reduces the number of potential entry points.
- Monitor network activity. This includes but isn’t limited to active domains, IP addresses, endpoints, and usage patterns. Vulnerability scanning and management tools play a key role here; as noted above, much of this activity may not be readily visible to IT teams.
- Segment your networks. Ransomware is most dangerous when an attacker can move laterally through an organization. By segmenting networks based on factors such as business role or sensitivity of data, an attack is easier to isolate, thereby preventing its spread. Beyond protecting against ransomware, this helps to improve an organization’s access controls.
- Update systems regularly. Well-known ransomware attacks such as Mamba, WannaCry, and REvil exploited unpatched software and operating system vulnerabilities. Staying up to date on software updates, as well as moving offline any hardware or software that can’t be updated, removes a common (and easy) entry point for attackers.
- Emphasize encryption. When data is encrypted, there’s very little that attackers can do with it. Strong encryption policies – for everything from email attachments to network traffic to application programming interfaces (APIs) – will protect data at rest, in storage, and in use. This won’t prevent ransomware outright, but it will prevent data from being exposed if attackers get their hands on it.
- Backup in the cloud. When an attack happens, it’s imperative for an organization to be able to resume normal operations while responding to the attack. A full, complete, and up-to-date backup of mission-critical data and systems in the cloud can help provide business continuity and hasten disaster recovery – and with any luck, avoid paying any ransom.
- Train employees. Educating employees about how to spot social engineering attacks or phishing emails plays an important role in preventing ransomware. Given the ever-changing threat landscape, training exercises should be updated frequently.
These steps are critical to prevent ransomware and improve an organization’s security posture – but they do not cover web application security. Considering the scale of modern web environments, the challenge of also securing all their websites and applications can be overwhelming to organizations that don’t know where to start.
Dynamic application security testing (DAST) is specifically designed to automatically locate, identify, and help remediate vulnerabilities in the websites and applications that make up a large part of your external attack surface. It enables organizations to close entry points that are unnecessary or otherwise vulnerable, shrinking their overall attack surface – and reducing the risk of a crippling ransomware attack.