CISA Releases Ransomware Readiness Assessment for Businesses
By Collin Connors, ERMProtect IT Security Consultant
The Cybersecurity and Infrastructure Security Agency (CISA) recently released a Ransomware Readiness Assessment (RRA) to help businesses evaluate their IT Security environment. The controls tested in this assessment are based on industry best practices such as NIST SP800 and CIS controls. The self-assessment breaks preventing ransomware into ten functions:
- Robust Data Backup
- Web Browser Management and DNS Filtering
- Phishing Prevention and Awareness
- Network Perimeter Monitoring
- Asset Management
- Patch and Update Management
- User and Access Management
- Application Integrity and Allow list
- Incident Response
- Risk Management
The Stages of Readiness
Within each function, the RRA defines three stages of readiness: Basic, Intermediate, and Advanced. These stages are used as a guide to show organizations where they are deficient and prioritize steps to prevent ransomware. Organizations should first strive to meet all the basic requirements before moving on to intermediate and advanced needs. In total, there are 48 suggested controls for organizations to meet.
Secure & Test Backups
The first function organizations should try to meet is the Robust Data Backup function. If an organization is hit with ransomware, it must have backups of its data. With backups, an organization can restore its data and ignore the ransom. The RRA suggests, as a basic control, backing up data daily to an offsite location and keeping each backup for at least 30 days.
While backups are critical to responding to ransomware, the backups are no good if they are not tested regularly. The RRA suggests as a basic control testing the backups annually. To test a backup, organizations should attempt to restore the backup to a test server and ensure that all of the data is transferred correctly.
Secure Web Browser & DNS
The second function defined is Web Browser Management and DNS Filtering. This function focuses on preventing ransomware from getting into machines. One of the most critical steps to avoid ransomware is using automated tools to filter the DNS, the domain name server which converts human-readable domains into IP addresses used by servers. These tools analyze web traffic within your organization and block any connections with sites that are known to be malicious. On top of this, all users should configure their web browser (Chrome, Firefox, etc.) settings to ensure the maximum amount of security. It only takes one misconfigured device to let hackers install ransomware.
Stop Social Engineering
The next line of defense involves protecting users from social engineering – tactics that hackers use to trick people into clicking on malicious links or taking other actions that expose sensitive data. Even with the best technical measures in place, an uninformed user could fall victim to a phishing scam, compromising the whole network. As a basic control, all users should receive training in how to spot and avoid phishing and other types of social engineering attacks. Even with well-trained users, it is possible that someone accidentally falls for a phishing scam. To reduce this risk, the RRA suggests using automated tools to filter email content. This will prevent most phishing emails from even reaching a user’s inbox.
To ensure the security response team is ready, the RRA suggests, as a basic control, performing an annual tabletop phishing exercise. During this exercise, the Incident Response team can practice going through the incident response plan without the pressure of an actual attack.
Monitor the Network
The next function, Network Perimeter Monitoring, watches network traffic for malicious content so that the Incident Response team can quickly detect threats and respond appropriately. At a basic level, organizations should deploy tools to monitor their perimeter network traffic, so that a ransomware attack is detected in real-time, permitting a fast response. After meeting these basic requirements, organizations should look to also monitor their interior network traffic. Additionally, organizations should ensure that their networks are properly segmented to protect mission-critical assets. This involves keeping sensitive data separate from the main network that is used for business operations. Finally, as an advanced control, organizations should establish a baseline of network activity to identify anomalous activity.
Map and Manage Assets
While it is essential to put controls in place to protect IT infrastructure, these controls are only adequate if an organization is aware of all its assets, a function the RRA calls Asset Management. At the most basic level, organizations should maintain an inventory of all their software and hardware assets. As part of doing this inventory, organizations should remove unsupported hardware and software from their environment. These assets tend to be the most vulnerable and can allow hackers easy access to the network.
After meeting these basic requirements, organizations should continuously monitor for rouge hardware or hardware that is not listed in the inventory. This hardware could be a malicious device that allows hackers entry. As an advanced control, organizations should take immediate steps to remove any rouge hardware from their environment.
The second aspect of Asset Management is maintaining the configurations and settings of all software assets. At a basic level, organizations should ensure that all their configurations are well-documented and meet best practice security standards. After completing the basic security standards, organizations should maintain a copy of the current best practice configurations for all their hardware and software assets. As a final advanced control, organizations must ensure their configurations are created using security hardening guidelines.
Maintain & Update Patches
The next function, Patch and Update Management, helps organizations keep their systems up to date. An unpatched system creates an easy entry point for hackers and can quickly lead to ransomware. At a basic level, all organizations should ensure that any public-facing software has all critical patches applied within 15 days of the patch release. Likewise, all internal-facing software should have critical patches applied within 30 days of the patch release. After meeting these basic requirements, organizations should ensure that all firewalls are patched within 15 days of critical patches being released. Finally, organizations should patch all software and firewalls within three days of a critical patch being released to reach the advanced stage.
Control & Monitor Access
A key strategy in preventing ransomware is ensuring only authorized personnel has access to systems. For starters, there must be strong password requirements on all software. Next, organizations should enforce two-factor authentication on all privileged systems, meaning users need, for example, a password and security token to gain access. To move to the advanced stage, organizations should implement two-factor authentication not just on privileged systems but on all their software accounts.
While strong passwords can prevent unauthorized actors, it is also essential to manage user permissions so that legitimate users cannot access systems outside of the scope of their job responsibilities. Organizations should follow the “principle of least privilege” or giving users the minimum access required to do their jobs. After creating a policy to enforce the principle of least privilege, organizations should implement the policy using technology, for example, setting up restricted groups in an Active Directory environment. To ensure that this policy is met, organizations should monitor the audit logs of any privileged system.
Restrict Software Usage
The Application Integrity and Allow List function requires organizations to limit what software is allowed. To meet the basic stage, organizations should ensure that they enforce a blacklist of known harmful software. After creating the blacklist, organizations should enhance this control by allowing only the use of software that is approved by the organization.
Plan for the Worst
Even with all the previous controls in place, organizations could still be hacked. Therefore, the organization must develop an incident response plan in the event of a breach. This plan should include steps to escalate incidents to the appropriate stakeholders. Along with the incident response plan, organizations should have a disaster recovery plan to recover quickly when a disaster happens. To ensure that these plans are sufficient, organizations should perform annual tabletop exercises to test them. To move to the intermediate stage, organizations should perform the tabletop exercises at least twice a year. Likewise, organizations should test physical incident response at least once a year. To move to the intermediate stage, organizations should perform physical incident response tests at least twice a year.
Maintain Redundant Systems
If an incident were to happen, having redundant systems in place can help an organization quickly recover. As a basic control, organizations should have redundant systems for all their critical assets. To move to the advanced stage, organizations should have redundant systems and data for all their assets.
The final function is Risk Management. There will always be some amount of risk to any organization. Thus, it is vital to understand the specific risks posed to the organization by performing a business impact assessment. Next, organizations should define their risk criteria and tolerances. To move to the advanced stage, organizations should consider risk and exposure between interconnected systems. Lastly, organizations should regularly apply quantitative risk analysis to their remediation activities.
To completely understand your organization's Ransomware Readiness, you can take the Ransomware Readiness Assessment here. This self-assessment will allow users to examine their readiness in all of the functions listed above. After finishing the assessment, the tool will generate a report so that your organization can understand how prepared it is for a ransomware attack.
Get a curated briefing of the week's biggest cyber news every Friday.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.