On June 2nd, Anne Neuberg, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology, released a memo with the subject: What We Urge You To Do To Protect Against The Threat of Ransomware.
The most important aspect of the memo, and in our opinion one deserving of its own bullet, was the following sentence in the last paragraph of the first page:
To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.
The memo proceeds to detail classifications of mitigating controls (read: tools) that the White House "urges" everyone to utilize. Are these tools helpful, useful, necessary? In most cases yes, but only when they support the objectives of the organization's security and overall business strategies, respectively.
Recommending the deployment of tools as the first step to address potential security gaps is just bad advice.
Let's use a pirate analogy for a moment, shall we?
You have a shovel (a.k.a. a tool) and a desire to find buried treasure. With shovel in hand you start digging holes in your backyard. Will you find a treasure by digging random holes all over the place? Sure, maybe. Would the likelihood of finding the treasure increase significantly if you have a map (a.k.a. direction on how to get) to the treasure? Undeniably.
Without an effective security strategy that mirrors the overall business strategy, you're simply spending money in the hopes that things work out for the best.
The memo isn't all bad, however. After the initial "throw money at the problem and buy 5 widgets" suggestion, we actually see some useful advice in the form of:
- Backup your data, system images, and configurations, regularly test them, and keep the backups offline,
- Update and patch systems promptly,
- Test your incident response plan,
- Check your security team's work (a.k.a. penetration testing), and
- Segment your networks.
The above suggestions mirror our own that we find ourselves frequently communicating during our penetration tests, configuration reviews, risk assessments, and red and purple team engagements.
If you really want to protect your organization from ransomware and ransomware-like threats, the first step is to have that difficult conversation with your executive team. If that's something you feel you're not ready to do on your own, please do not hesitate to reach out to Lares. We have decades of experience articulating complex technical topics for an executive or board-level audience.
If you've already taken the first step of having "the talk" with leadership and want to identify the potentially exploitable gaps in your security program or architecture, we can help with our penetration testing, configuration review, and red teaming services.
Even further down the road and feeling confident in your security capabilities? Now might be the ideal time to test and measure the effectiveness of your deployed controls, situational awareness, and response capabilities with Lares' purple teaming services or facilitated tabletop exercises.
Regardless of where your organization is in its security program and maturity journey, Lares is here to help you succeed. Please do not hesitate to reach out to us via phone or email. We'd love to talk to you!
Andrew Hay is the COO at Lares and is a veteran cybersecurity executive, strategist, industry analyst, data scientist, threat and vulnerability researcher, and international public speaker with close to 25 years of cybersecurity experience across multiple domains. He prides himself on his ability to execute the security strategy of the company with which he works without neglecting business objectives and the needs of its customers. Andrew is the author of multiple books on advanced security topics and is frequently approached to provide expert commentary on industry developments. He has been featured in publications such as Forbes, Bloomberg, Wired, USA Today, and CSO Magazine.