Several news outlets are reporting recently that over the past month, the City of Atlanta has been struggling with a ransomware attack – specifically, an attack by SamSam ransomware, which encrypts data and holds decryption keys for a cryptocurrency ransom. The City of Atlanta opted not to pay the roughly $50,000 ransom and instead is expected to spend more than $2.5 million on recovery advisory and incident response efforts. Even after this significant spend with third party service providers to help restore the environment, the ransomware attack appears to still be unresolved.
West Monroe led the incident response and remediation efforts after a very similar cyberattack at a mortgage company prior to the 2017 holidays – an unsecured server that was exposed to the internet was compromised and used as an entry point for an attack; the attackers then gained credentials for a domain administrator account, which allowed them to destroy backups and encrypt user data environment-wide. In this case, the ransom was for 4 Bitcoins, or roughly $80,000 at the time.
As with the City of Atlanta attack, the cost of remediating the breach at the mortgage company was well in excess of the ransom. Even so, both organizations decided against paying the ransom because payment was no guarantee that the right decryption keys would be handed over. More importantly, payment wouldn’t ensure that additional weaknesses in the environment wouldn’t be exploited later, or prevent the organization from being seen as an “easy target” for future attacks.
While it’s impossible to completely protect an organization against all cybersecurity threats and attacks, there are steps that can be taken to reduce an organization’s risk. With both the City of Atlanta and WMP’s client, pre-emptively investing a portion of those remediation costs in security projects could have helped prevent the attack in the first place, or at least reduced the impact of the attack.
A crucial first step in developing a mature security strategy is understanding the threats that a specific organization faces. This helps organizations identify and prioritize security investments, and also stresses the need for a defense in depth security approach. Once the threats have been identified, it is important to mitigate those risks proactively, as being reactive is often more costly from both a financial and reputational perspective. Implementing proactive security controls not only reduces the risk to an organization, it also allows organizations to budget for security investments in a prioritized manner instead of scrambling to obtain funding to recover from a breach.
There are a number of ways for an organization to improve its security posture, and more importantly, maintain a secure environment over time. For example, identifying a security and compliance “owner” and putting an overall security program steering committee in place enables a leadership role to drive strong governance, and allows IT and business stakeholders to have a voice in the process. Once the leader and steering committee are in place, identifying a framework such as the NIST Cybersecurity Framework against which to benchmark can provide an easy to understand view of potential weaknesses, and act as a method to focus efforts on both protection and incident recovery. Finally, security assessments should be performed on a routine cadence, and at least annually. Security threats change constantly; just executing point-in-time projects to mitigate the current risks is not enough in today’s evolving threat landscape.
Beyond security controls, there are tactical proactive projects that can be undertaken to reduce risk. In the scenario where West Monroe led remediation, segmenting server networks from workstation networks could have prevented the attackers from pivoting from the compromised web server and gaining access to workstations and the valuable user data they contained. Credential management protections, such as restricting local administrator privileges for end users, separating privileged and non-privileged credentials, and implementing tools to enforce credential rotation and auditing, can also reduce the potential for a compromised credential to damage the environment.
Despite implementing security controls to protect your organization, the reality is that security incidents will still occur. Because of this, establishing a cybersecurity incident response plan is crucial. A formal plan can help you respond to incidents quickly and in an effective manner, while minimizing impact of the breach and disruption to your organization. It’s important to test this plan on a regular basis to ensure key stakeholders, both internal and external, are identified and aware of their roles and responsibilities and that communication and escalation paths are defined and streamlined.
Does your organization have controls in place to help limit the likelihood and impact of a breach? Consider whether there are security risks that could be addressed now to minimize the impact of, or even prevent a potential future attack. West Monroe Partners assists firms across a variety of industries to assess, understand, and improve their security posture, and also provides ongoing advisory in the form of a virtual Chief Information Security Officer – contact us to see how we can help.