This July we had an announcement reported in IT World Canada of a firm in Canada being forced to pay $425,000 in bitcoins to recover from a ransomware attack that encrypted both production and backup databases.
Ransomware is the most insidious new form of attack that organizations are facing. From a cost perspective this it is also one of the easiest to understand. Why? Because the math is dead simple. Here are traditional arguments that software vendors use to pitch the ROI of their solutions (security or otherwise they all often sound similar):
- How many hours did you spend in recovery and post-mortem analysis?
- How many customers did you lose because you were under attack?
- What is the impact on your brand of a data breach?
All of these are calculable, but they are often amorphic calculations and their very analysis causes debate about how to calculate them rather than what matters – mitigating risk.
How is this for an ROI calculation?
The cost is $425,000. There are probably a bunch of related costs but the cost out of our pockets TODAY is $425,000. The net present value of todays out of pocket expense is $425,000. The opportunity cost of today's attack is $425,000. At today's exchange rates the cost is $425,000.
I think we all get the point.
How many Canadian firms can pay such a ransom and survive? How many that can't pay a ransom would recover from the loss of a critical system? Let's be real here, thieves that are holding a company for ransom have the objective to be paid and not to put a company out of business. Thieves run ransomware like a business, so you can expect that they will ask for an amount that makes sense for the organization that is impacted. It is why one of the most publicized attacks in history, WannaCry, was only asking for $300 US (initially). So for every organization the price isn't necessarily in the six figures but it can be crippling and our under-the-radar, Canadian organizations are as targeted as anyone else.
In this case is it reported that the breach occurred from successful phishing attempts that were well targeted and tricked staff into launching malicious files. The double whammy is that it took advantage of outdated servers. The lessons are ones that are hard to learn because they require the consistent application of common sense. It is true that the vast majority of people and organizations are good at common sense and good at consistency. But how often are we all good at both? It is also true that it only takes one (very small) mistake and the cost can be…well…$425,000.
The conclusion of the IT World Canada article is that “you can never control phishing because that is a human element”. It is here where we think the human element is no different than the IT elements. It requires a defence-in-depth strategy that combines layers and layers of defensive perimeters to mitigate the risk that you “can't control”. This includes, at minimum:
- Perimeter Firewalls
- DNS Firewalls
- Antivirus software
- Content blocking/filtering
And we aren't even talking about the application layers here - just the human elements.
Fast response is critical
In a zero-day situation (one where it is the first time a new strain of malware is discovered) you need to get protected as quickly as possible. And this is where they layers of defence come into effect. Different vendors may update their definitions at different rates; moreover your own policies may update only when it can be gotten to. In this case outdated server software that was probably on the list to be fixed but just wasn't done yet. But everything needs to be as fast as reasonable. This includes even human efforts like email warnings out to staff when you suspect you are being targeted or when a new global threat is emerging.
The role of a DNS firewall in blocking malware
In CIRA's case, our D-Zone DNS Firewall is updated with the latest threats in near real-time and because it is delivered as a cloud service the updates are automatically applied to all organizations. It helps control phishing because it can block links to known or suspected threats based on analysis of the links. Additionally, since some malware uses the DNS for command and control it can help by blocking its communication with its host server.
So it is reasonable to say you can never 100% control phishing, but the reason we launched a Canadian DNS Firewall was to provide a critical layer of protection as a cloud service. By leveraging DNS infrastructure hosted close to your users it has the added benefit of recursive speed that doesn't degrade with complex policies or distance. So it is not only good for security, but good for efficiency.