Ransomware is on the rise across all sectors, including financial services, and in late June the New York State Department of Financial Services (NYSDFS) provided some statistics that are disturbing.
“From January 2020 through May 2021, DFS-regulated companies have reported 74 ransomware attacks. These attacks ranged in impact, from crippling days-long shutdowns to minor disruption from temporary loss of a few computers,” according to the NYSDFS. “Seventeen companies paid a ransom. The Department has also received a growing number of third-party cybersecurity events – where ransomware attacks against a critical vendor disrupt the operations of a regulated company.”
NYSDFS officials gathered data about the ransomware incidents, particularly about “whether a ransom was paid, and the incident’s impact on sensitive data and company operations. These ransomware incidents all followed a similar pattern.”
For instance, hackers broke into “the victim’s network using one of three techniques: 1) phishing, 2) exploiting unpatched vulnerabilities, or 3) exploiting poorly secured Remote Desktop Protocols (RDPs),” according to the NYSDFS.
“After gaining access to the network, hackers escalate privileges by obtaining access to administrator (or privileged user and privileged service) accounts,” according to the NYSDFS. “Hackers typically escalate privileges by stealing encrypted (‘hashed’) passwords and then employing password cracking tools on their own computers to decipher stolen passwords. Hackers then use privileged access to deploy ransomware, circumvent security controls, and target backups.”
To provide some measure protection against the hackers, NYSDFS official suggest the following:
- Email Filtering and Anti-Phishing Training: “Employee awareness of their network security obligations and anti-phishing training, in particular, are critical. Required cybersecurity awareness training … should include recurrent phishing training, including how to spot, avoid, and report phishing attempts. Companies should also conduct periodic phishing exercises and test whether employees will click on attachments and embedded links in fake emails, and remedial training for employees as necessary. Emails should be filtered to block spam and malicious attachments/links from reaching users.”
- Vulnerability/Patch Management: “Companies should have a documented program to identify, assess, track, and remediate vulnerabilities on all enterprise assets within their infrastructure. The program should include periodic penetration testing. Timely remediation of vulnerabilities is essential and requires strong governance, including assignment and tracking of responsibilities. Vulnerability management should include requirements for timely application of security patches and updates. Wherever possible, regulated companies should enable automatic updates.”
- Multi-Factor Authentication (MFA): “MFA protects user accounts and can prevent hackers from obtaining access to the network and from escalating privileges once in the network. MFA for remote access to the network and all externally exposed enterprise and third-party applications is required … All logins to privileged accounts, whether remote or internal, should require MFA, as this is a highly effective way of blocking privilege escalation via password cracking.”
- Disable RDP Access: “Regulated entities should disable RDP access from the Internet wherever possible. … If, after assessing the risk, RDP access is deemed necessary, then access should be restricted to only approved (whitelisted) originating sources and require MFA as well as strong passwords.”
- Password Management: “Regulated companies should ensure that strong, unique passwords are used. … Privileged user accounts should require passwords of at least 16 characters and ban commonly used passwords. Larger organizations with dozens or hundreds of privileged user and service accounts should strongly consider a password vaulting PAM (privileged access management) solution which requires employees to request and check out passwords. Password caching should be turned off wherever possible.”
- Privileged Access Management: “Regulated companies should implement the principle of least privileged access — each user or service account should be given the minimum level of access necessary to perform the job. … Privileged accounts should be carefully protected. As noted above, privileged accounts should universally require MFA and strong passwords. Companies should also maintain and periodically audit an inventory of all privileged accounts. Privileged accounts should be used only for tasks requiring elevated privileges, and administrators should have a second non-privileged account for all other tasks such as logging into their workstation, email, drafting documents, etc. Privileged service accounts are a frequent source of compromise and should not be overlooked. Service accounts should have the same or more restrictive access controls as equivalent user accounts.”
- Monitoring and Response: “Regulated companies must have a way to monitor their systems for intruders and respond to alerts of suspicious activity. … Regulated companies should implement an Endpoint Detection and Response (EDR) solution, which monitors for anomalous activity. Advanced EDR can quarantine infected systems, potentially stopping ransomware from executing before it can encrypt the endpoint. EDR can also facilitate incident response. Companies with larger and more complex networks should also have lateral movement detection and a Security Information and Event Management (SIEM) solution that centralizes logging and security event alerting.”
In addition, firms should have tested and segregated backups.
Segregated backups “allow recovery in the event of a ransomware attack. … To prevent hackers from deleting or encrypting backups, at least one set of backups should be segregated from the network and offline. It is important to periodically test backups by actually restoring critical systems from backups — this is the only way to be sure the backups will actually work when needed,” according to the NYSDFS.
Firms also need “an incident response plan that explicitly addresses ransomware attacks,” according to the NYSDFS. “The plan should be tested, and the testing should include senior leadership — decision makers such as the CEO should not be testing the incident response plan for the first time during a ransomware incident.”
By the way, NYSDFS officials say that they expect “regulated companies to implement these controls whenever possible.”
More details can be found here: https://on.ny.gov/3saGDqS