© 2022 NPR Illinois
Stand with the Facts
Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations
Community Voices

Cyber hygiene tips to prevent data ransoming from negotiator Kurtis Minder | Community Voices

Kurtis-Minder-headshot
GroupSense.io
Kurtis Minder

Originally aired March 3, 2022.

Chatham native Kurtis Minder started out in Springfield tech during the 90s. He is now one of the top ransomware negotiators in the world with and chief executive officer of GroupSense.

Kurtis will be in Springfield April 7, 2022 for an Innovate Springfield dialogue event.

Below are the cyber hygiene tips Kurtis mentions that can be taken to reduce the risk of being a victim of ransomware:

PATCH YOUR SYSTEM
Just do it.

PASSWORD POLICY
Maintain and publish a password policy for your organization. The policy should illustrate the importance of password security and credential use in the organization. One of the most common points of entry for an attacker is credential re-use or stuffing, often leveraging breach data or stolen credentials from a third-party. This happens when corporate staff use their corporate email for a third party non-business related (or business related) site and that site gets compromised. Matters are made worse when they use the same or similar passwords that they use for corporate access. Use a credential monitoring service (also referred to as Account Takeover Protection, ATO) to determine if/when your staff does this and are affected by one of these third-party breaches. Then reset their password internally and send them an official notification of policy violation.

USE A PASSWORD MANAGER
Use an enterprise-friendly password manager and require employees to use this as part of the security program. Most password manager programs offer a corporate license which allows you to provision and deprovision users centrally. They also allow you to manage policy around the frequency of password forced resets and password complexity.

ENABLE MULTI-FACTOR AUTHENTICATION EVERYWHERE POSSIBLE
Enable the 2FA or MFA capability on everything used in the business. This includes email, network access, remote access, and any web-based applications. You may or *should* choose to evaluate SaaS vendors based on their ability to offer this as protection. Favor solutions that offer MFA through a mobile application or hardware token over SMS only.

EMAIL, EMAIL POLICY, ANTI-PHISHING
Have a strong policy about using corporate email for personal use. Restrict access to personal mail on company assets. This reduces your phishing attack surface tremendously. There are numerous SaaS / Cloud based anti-phishing solutions that will protect your staff from clicking on bad things.

SECURE REMOTE ACCESS
If remote access is required, use a zero-trust access method or a VPN. Use two-factor authentication. Always. Avoid RDP or direct to machine access whenever possible.

BACKUPS
Keep at least one manual backup of your data offsite in a secure location. Many disaster recovery plans only account for a hot and warm backup. Also, it is best to use an auxiliary backup solution beyond what your cloud storage provider offers. There are many solutions that integrate seamlessly with Google, Azure, etc. Finally, CHECK to make sure the backup solution is functioning properly on a regular cadence.

Avoid full backups on the weekends. It’s a popular decision for organizations to conduct a full backup on the weekend because there are fewer users that could be disrupted. However, it’s also the choice time for threat actors to run their ransomware. For starters, they know there are fewer users on the network and their ransomware has a lower chance to be detected, which means a higher disruption chance for you and a higher success rate for the attackers. Secondly, the TAs know the ransomware might interfere with your full backups which creates more leverage for them during a negotiation.

INSURANCE
Consider a cyber insurance policy. There are smaller providers that can be affordable to small businesses.

ENCRYPT ALL DEVICES AND STORAGE
Utilize host-based encryption where possible to encrypt data at rest. This is available on most operating systems, natively.

THREAT INTELLIGENCE / DIGITAL RISK PROTECTION
The indicators of compromise (IOCs) related to malware strains associated with ransomware are quickly and easily available on the internet. A solution providing Digital Risk Protection will monitor open source repositories, code repositories, cloud storage buckets, paste sites, the dark web, and social media for:

  • Data Leaks
  • Intellectual Property Leaks
  • Stolen System Access
  • Fraudulent Domains (look-alikes)
  • Stolen or Leaked Credentials
  • Planned Attacks
  • Brand Fraud
  • Fraudulent Mobile Apps
  • And more...

SECURITY AWARENESS TRAINING
Education solves nearly everything. Your staff will always be the weakest point in your security program. In order to combat threats, the team needs to be made aware of them and taught how to identify and avoid pitfalls that bypass your security efforts.

REGARDING REMOTE EMPLOYEES AND CONTRACTORS
If you are issuing devices to remote staff, install anti-virus and EDR software on the device. Consider also Managed Detection and Response (MDR) services, which will help monitor and manage the threats to those devices. For contractors, consider using VPS services and require those services to be used when interacting with corporate files, assets, code, etc. This mitigates the concern that they might steal those digital assets, or have an otherwise company issued machine stolen with the assets on it.

LOGS
Log everything and store centrally offsite. There are myriad services that will provide cloud log repositories. This becomes necessary when an incident occurs and you need to figure who took what, where, and when.

TESTING
Have some objective external tests done to your software and your systems at least bi-annually. You should have a human do these tests, though occasional automated vulnerability testing is also helpful.

PLANS AND SUCH
Develop and practice an incident response plan. The plan should contain at a minimum:

  • Contact information for IR firm
  • A list of roles and responsibilities during the incident
  • A business impact assessment and plan to restore / continue operations
  • A list of the tools and methods available for analysis and recovery
  • Internal, external, and affected party (clients for example) communication plan

Consider also retaining the IR firm in advance, as well as external counsel with breach experience, and PR.
EMPLOYEE RESOURCE ACCESS / DE-PROVISIONING
A quick note on onboarding and offboarding. Well, specifically offboarding. Do that. Have a process for removing employees from corporate systems, notifying remaining staff and relative customers, and partners.

IF YOU ARE AFFECTED BY RANSOMWARE OR EXTORTION

  • Do not visit the threat actor victim site.
  • Do not attempt to negotiate with the threat actor.
  • Do not shut down or reboot systems.
  • Do contact legal counsel with breach experience.
  • Do contact an experienced negotiator.
  • Do contact an incident response firm.

Tips courtesy of Kurtis Minder, GroupSense.

Related Stories