HOW TO CREATE A MODERN SECURITY STRATEGY

Government and education leaders should focus on the three pillars of technology, people and policy to guard against sophisticated hackers.

1 2 CONTENTS

04 INTRODUCTION 06 A CLEAR AND PRESENT DANGER

NEW TOOLS TO FIGHT RANSOMWARE:

08 TECHNOLOGY • Ensure endpoint protection • Leverage next-generation firewalls • Incorporate artificial intelligence and • Keep up to date on software patching • Manage inventory • Leverage third-party threat intelligence services

12 PEOPLE • Update end-user training • Involve stakeholders in training design • Address risky behavior • Consider attack simulations • Focus on behavior change, not punishment • Help security and IT teams stay sharp • Keep security front and center

16 POLICY • Start with data governance • Realize the importance of backup and recovery • Rethink identity and access • Validate your security plans • Compare yourself to others • Consider consolidation

18 SECURING THE FUTURE

3 INTRODUCTION

After sharp spikes in Grunzweig, senior malware governments and education ransomware attacks in recent researcher with Unit 42. institutions, which are years, the total number seeing more focused and of incidents is trending A drop in the sheer number sophisticated ransomware downward in 2018. But that’s of attacks is encouraging for attacks this year. not necessarily good news government leaders who because these attacks also are have updated their security For example, Unit 42 has been becoming more targeted and strategies to better protect tracking a spike in SamSam, potentially more dangerous. networks and reduce the need a ransomware family that’s for employees to make split- been around for years but Unit 42, the research arm second decisions about which now has become a go-to for of Palo Alto Networks, or web links are risky. targeted public sector attacks says it tracked 890,000 But more needs to be done. ransomware attacks across “Hackers are using it to state and local government The lure of profits is enticing first determine how many over the past two years. international criminals to computers are on the targeted exploit new vulnerabilities, organization’s network, and “But when we look just at the including those that surface once they’ve identified a large first six months of this year, as the Internet of Things (IoT) number of systems, they’ll we’re seeing a 20 percent gains traction. Continued deploy the ransomware to decline compared to the same diligence is particularly all of them,” Grunzweig says. period in 2017,” says Josh important for state and local “We’ve seen hackers make

4 “Ransomware isn’t a fad. Why? Because it works. When faced with the reality of losing our digital belongings, affordable paths out suddenly seem reasonable. Herein lies the problem. The bad guys have gotten better at automating the delivery of ransomware and are monetizing our fear of losing.”

Lucas Moody, Chief Information Security Officer, Palo Alto Networks

some significant updates to couldn’t pay bills for municipal cybersecurity approach that SamSam in this past year.” services online and the city’s incorporates integrated security airport halted Wi-Fi service platforms; a focus on people, One large U.S. city became a for a time. The mayor called including modern training SamSam victim early in 2018. the exploit “an attack on our techniques; and stronger According to news reports, government, which means policies and processes to for nearly a week last March, it’s an attack on all of us.” prevent and contain ransom city employees couldn’t use How can public sector attacks. Where to start? This their work computers, forcing officials up their security handbook presents a plan to many to rely on pen and game to counter targeted understand today’s ransomware paper.1 Citizens and tourists ransomware attacks? The threats, along with best also suffered. Residents answer is a comprehensive practices to prevent them.

5 A CLEAR AND PRESENT DANGER

In the last year, hackers attractive targets for cyber- authority to spot and targeted multiple state and thieves because IT resources prevent illegal activities. local governments, as well as are often underfunded higher education institutions, compared to many commercial 3. People are a weak link: with sophisticated exploits. enterprises. Opportunistic Because social engineering is For example, cybercriminals hackers probe government so successful at gaining access used a variant of SamSam and education networks into protected public sector to take over IT systems hoping to uncover aging systems, it remains a common at a state department of infrastructure or incomplete tool among ransomware transportation, forcing 2,000 security measures. And hackers. Infected attachments, employees off the network when they find an opening, malicious Java scripts and while officials tried to isolate hackers have a variety of links to infected websites the attack.2 Particularly malware to stage an attack. all lurk in targeted, carefully troubling was a follow-up Data thieves use asymmetric written emails that result from attack on the department cryptography, which combines upfront research by thieves. within two weeks that public and private data keys occurred before 80 percent to encrypt valuable public Similarly, exploit kits, such of the systems infected in the sector information. To recover as those associated with first assault were restored.3 their data, victims must pay SamSam, troll networks The department’s employees to receive the private key. for missing security resorted to pen and paper patches and other gaps to perform some of their 2. Crypto-currencies enable that enable a widespread duties during the downtime. extortion: It’s not just the ransomware infection. latest and greatest forms Three factors contribute of malware that make Also on the list of public to the prevalence of ransomware so successful. sector vulnerabilities are ransomware attacks against Digital innovations also ubiquitous web-based public institutions. provide criminals with new file sharing applications tools to turn extortion into that enable even security- 1. The public sector is an a moneymaker. Crypto- conscious staff members to easier target: State and local currencies like Bitcoin breach internal information- government, along with higher enable ransomware hacks sharing policies without the education institutions, are because there isn’t a central IT department’s knowledge.

6 INSIDE THE CYBER ATTACK LIFE CYCLE

PLANNING SILENTLY EXECUTING THE INFECTING MALICIOUS ATTACK DEVICE FILES

ESTABLISHING RECEIVING COMMUNICATIONS RANSOM AND/ WITH THE OR STEALING, ATTACKER SABOTAGING, DESTROYING DATA

7 NEW TOOLS TO FIGHT RANSOMWARE As public sector security officials formulate a comprehensive cybersecurity strategy to fight ransomware efforts, they must focus on three core areas: technology, people and policy.

TECHNOLOGY

Battling today’s sophisticated vulnerabilities. Leaders should threats requires an integrated use platforms to help them: platform approach to cybersecurity, rather than Ensure endpoint protection: disconnected point solutions. Because endpoint protection is a key component “Public sector organizations within integrated security must take advantage of the platforms, public sector IT multiple opportunities they staffs should make sure this have to prevent ransomware technology includes the attacks,” says Scott Simkin, latest capabilities. Evaluate director of threat intelligence endpoint applications for how at Palo Alto Networks. “That easily they exchange security can only be done with an data with other network end-to-end security platform.” defenses. Ideally, endpoint and devices These platforms should should work together to spot include integrated modules possible security threats, for web security, next- share insights and collectively generation firewalls and take appropriate action the latest endpoint security according to the organization’s capabilities, which work policies and directions together to prevent attacks. from the security staff. Unlike point solutions, security platforms enable data sharing Leverage next-generation and automation across firewalls: Next-generation multiple security components firewalls (NGFs) implemented to quickly address new within the overall security

8 platform monitor network traffic to identify and block known and unknown threats, including zero-day malware. NGFs can quarantine suspicious software until further tests determine whether it’s a threat. Unlike traditional firewalls, NGFs assess data from any communications port and physical or virtual IT resource.

Eliminating the theft of passwords and other credentials is a primary goal when protecting the organization. When valid authorizations fall into the hands of hackers, they can breach a network’s defenses and then move easily across internal resources. One differentiator among top-tier security vendors are capabilities that mitigate credential theft, applying prevention capabilities during any point of the attack life cycle. These advanced products block end users from submitting credentials to websites that are suspicious or known to be used by cyber- thieves. The tools also enforce network authentication polices to keep hackers from using valid credentials to move throughout internal networks.

Incorporate artificial intelligence and machine learning: An effective security Unlike point solutions, platform also will incorporate security platforms artificial intelligence (AI) and enable data sharing machine learning to identify and automation network-traffic anomalies and signs of zero-day attacks. across multiple Besides detecting problems, security components AI and machine learning can to quickly address new automate appropriate responses, vulnerabilities.

9 which is much faster than from manually monitoring data should be sourced from manual interventions. dashboards and examining actual public sector and security logs in search of commercial organizations Next-generation anti-virus activity that indicates a breach. throughout the world. Even programs now use machine “Instead, software interro- the best algorithms will be learning to identify emerging gates the data,” says Thomas useless without those rich threats. Unlike traditional Murphy, senior director data sets from network, end- anti-virus applications, the and CISO at Northwestern point and cloud resources.” latest programs don’t try to University. “If a file looks like spot the easily disguised digital it is going to execute, and Furthermore, security plat- fingerprints of known malware. it is going to do something forms should provide a Instead, security software bad, software on a machine common data model so AI and that’s fueled by machine can stop that from happen- machine-learning technologies learning analyzes the behavior ing. We’re moving in that can analyze one large informa- of enterprise applications and direction to decrease our tion resource rather than try files to look for anomalies response time for stopping to spot trends across multiple, in how they’re interacting an attack. The less human fragmented data sets, he adds. with the operating system. intervention required, the less time it may take to actual- The best security platforms “There’s less CPU overhead ly shut down the attack.” are designed to quickly associated with these integrate new security tools applications,” says George However, Palo Alto Networks’ and innovations. Study a Finney, chief security officer at Simkin notes that “AI and security vendor’s track record Southern Methodist University. machine learning are only for how regularly it delivers “And they’re more accurate, as good as their algorithms updates and whether it with fewer false positives.” and source data. Organi- provides open application zations need algorithms programming interfaces (APIs) Machine learning also that can effectively analyze and software development kits can spare security staffs massive quantities, and that that enable members of the

Southern Methodist University (SMU) developed a vulnerability management program that uses digital scanners to examine devices connected to the network to determine if any are vulnerable because of outdated software or missing patches.

10 broader security ecosystem growing number of officials assets if you don’t know to extend the platform. now believe some of these what you have and where delays may be unnecessary. it’s located,” Finney says. Keep up to date on software patching: The effectiveness “We used to be a lot more SMU uses a commercial of cybersecurity platforms is concerned about availability application that installs augmented when CIOs and issues,” Finney says. “But software agents on every chief information security after we started pushing out digital device connected officers (CISOs) have reliable patches more aggressively, to the network. procedures for installing new we haven’t heard people and updated security software complain about problems very “When WannaCry came out and technologies. One way to often. There may be some last year, the first thing we did plug gaps is with automated one-off applications, where was check whether any of our patch management systems a researcher wrote his own machines were vulnerable,” that relieve IT departments code, and a patch caused a says Finney. “Thankfully, from manually installing problem. But by and large, we have a tool that allows updates, a task that can become those are the exceptions.” us to answer that question, overwhelming given the number so we can focus our efforts of revisions vendors release. Other public sector officials are appropriately when there’s Commercial cloud services, coming to similar conclusions. an outbreak, rather than including software-as-a- doing a complete fire drill.” service (SaaS) applications, can “Organizations have to measure reduce the patching burden on the risk of malware versus Leverage third-party threat overstretched IT staffs as cloud the risk of disruption,” says intelligence services: Finally, vendors become responsible David Jordan, CISO at the because security threats for the security software. Department of Technology evolve so rapidly and in such Services for the county of high numbers, public sector Some organizations take Arlington, Va. “The chance that officials should consider using additional measures. Southern we’ll see any disruption from third-party threat intelligence Methodist University (SMU) most patches is low, while the sources. These resources developed a vulnerability risk of attacks is high. The big can tip off security staffs to management program that uses ransomware breaches of 2017 emerging threats anywhere digital scanners to examine could have been avoided if in the world. The services devices connected to the available patches were in place.” also can automatically update network to determine if any are security frameworks based vulnerable because of outdated Manage inventory: CISOs on trending information. software or missing patches. gain another important level of situational awareness Some intelligence services are Along with automated with inventory management tailored specifically for the patching, security officials are tools, which create running public sector. For example, implementing more aggressive inventories of all the equipment Palo Alto Networks developed patching policies. In the connected to the network. the Trusted Information past, organizations spent Partner Sharing (TIPS) program, extra time testing security “You may not initially see which gives subscribers from patches to ensure they were why it’s so important for state and local government compatible with existing cybersecurity to keep a early warnings about emerging installations and wouldn’t current inventory, but there’s threats and advance insights cause system downtime. A no way you can protect your about protection measures.

11 PEOPLE

Update end-user training: best practices. Lessons is ransomware or any other Along with the right should also detail proper data type of cyber threat, we all technology, people remain management techniques. In have to think about how our a critical component in addition, employees should professional and digital lives protecting sensitive data. be educated on the dangers intersect,” says Murphy. “If we Mistakes by end users, of storing sensitive data on can learn to live with good whether that’s opening an laptops rather in a secure hygiene in our overall digital untrusted attachment or central location. This requires a lives, it will translate into browsing an infected website, combination of formal seminars protecting our employers’ data. are common entries into and table-top exercises, as well So, the answer to security is as internal networks. Thus, the as regular communications much cultural as it is technical.” cornerstone of any security about the latest exploits. program should be ongoing However, this needs to be training of people at all levels “It’s important to recognize consistently reiterated, says of the organization to reinforce that whether the concern Dan Lohrmann, chief security

12 The cornerstone of any security program should be ongoing training of people at all levels of the organization to reinforce best practices. Lessons should also detail proper data management techniques.

officer and chief strategist for Involve stakeholders in individual job titles. After Security Mentor, a training training design: These all, even the best security organization, and former discussions shouldn’t be plans will be ineffective if chief security officer for the one-way conversations. they’re not put into practice state of Michigan. “Training CIOs and CISOs should in daily operations. isn’t something that’s ‘one listen to end-user concerns and done.’ Ransomware about staying productive Regular conversations with threats are moving targets, and doing their jobs. By senior leaders also are vital, and people have to stay understanding user concerns, not only to reassure them informed about what’s out such as the trade-off between that security measures are in there. It’s best to think of following security policies place to address cybersecurity training as lifelong learning and staying productive, threats, but to help them — something that’s now part security officials can design understand why additional of effective government methodologies that address investments will be needed in the 21st century.” requirements unique to to stay ahead of hackers.

13 Address risky behavior: “The more personal information people Security experts say it’s post to social media, the easier it is for an important to broaden training attacker to create an that sounds beyond the risks and defenses related to . People legitimate and important for their jobs.” also need to understand Kristin Judge, CEO and President, Support Network what makes them vulnerable to these types of attacks.

“The more personal Developed in-house or with “Considering the almost information people post to the help of outside services, 95 percent increase in social media, the easier it is these campaigns involve phishing attacks over that for an attacker to create an sending authentic-looking time, I can’t imagine the email that sounds legitimate emails to internal staff to test number of compromised and important for their their ability to think before accounts we’d have today jobs,” says Kristin Judge, clicking on attachments or without a simulated CEO and president of the URLs. When SMU started phishing program,” SMU’s Cybercrime Support Network, doing this nearly five years Finney says. He adds that a public-private partnership ago, nearly 40 percent of the tools use to achieve that coordinates federal, end users clicked before these benefits don’t have to state and local resources to verifying the legitimacy be expensive. The university support cybercrime victims. of the messages. Instead is now moving to an open “That’s why you should avoid of a malware infection, source phishing simulation oversharing online. Don’t they’d receive a message application that’s freely make yourself an easy puzzle explaining what they’d distributed. for a hacker to solve.” done and why it was risky behavior. The effort quickly “It’s not always easy to Consider attack paid off. Click-through measure return on investment simulations: Simulated rates for the simulated for security investments, but phishing campaigns also attacks have dropped to this is one case where the can hone security skills. about three percent. returns are clear,” he says.

14 Focus on behavior change, “Training isn’t something that’s ‘one and not punishment: Security done.’ It’s best to think of training as life- officials caution the simulations long learning — something that’s now part shouldn’t feel like a game st of ‘gotcha.’ People who let of effective government in the 21 century.” their guard down shouldn’t Dan Lohrmann, Former CSO, State of Michigan be punished by being forced to attend extra training. Instead, the goal should be to change behavior over time. Even a successful attack can cyber-range training is updated be used by security teams weekly to highlight the latest “Formal training provides to keep the organization types of ransomware. people with necessary more secure in the future. information, but that alone Keep security front and won’t change their behavior,” “After a breach is the best center: Government and Finney says. “Simulated time to teach,” Judge says. higher education officials are phishing helps people “It’s a time to discuss the adopting techniques to regularly understand the consequences incident with employees and to reinforce what’s taught in of their actions and internalize demonstrate ransomware isn’t training sessions. For instance, those lessons so the next just some abstract idea — it’s a Arlington County dedicates time they’re curious about real threat. This sets the stage space for cybersecurity on its an attachment, they pause for a new conversation about internal website. When city and think before they click.” the latest best practices.” employees go there to order supplies or view general news At Northwestern University, Help security and IT teams about their departments, employees are encouraged stay sharp: Some organizations they also get updates about to assume that every use specialized instruction new types of cyber threats. incoming email is infected. like cyber-range training, “This section on the website not only keeps people informed, it supports what When Southern Methodist University they learn in the regular started its simulated phishing campaigns, security training they nearly 40 percent of end users clicked receive,” CISO Jordan says. on the link. Now click-through rates have dropped to three percent. The county also added a menu button to staff computers that employees can click when they receive a “Even though you think it’s which provides hands-on suspicious email. The message from a cohort or a family exercises designed for people is immediately removed from member, first look at it to experience the impact of the person’s computer and as if it could be a hacker ransomware. Attendees should sent to the security staff for who is trying to phish you,” represent a cross-section of evaluation. If it is infected, Murphy says. “Don’t open an the technical staff, from people the security team locates attachment until you’ve taken who manage endpoints and anyone who may have steps to become comfortable infrastructure to networking become infected and takes that it actually isn’t a threat.” and security teams. The best appropriate remediation steps.

15 POLICY

Start with data governance: develop successful backup information or proprietary Data governance standards and disaster recovery plans, research, which is a reminder are the first step in formulating two critical elements to of why prevention should effective anti-ransomware protect information in the remain the primary goal. policies. Governance enables age of ransomware. When agencies and institutions to prevention fails, reliable and Nevertheless, given the specify who has access to comprehensive data backup importance of backups as individual applications and strategies offer an alternative part of an overall strategy, IT files, and to classify and rank to doling out Bitcoins to and security managers should the criticality of data. After all, extortionists. work with administrators and if officials attempt to protect department heads to update all data equally, organizations “As practitioners, and as recovery plans. risk overspending to protect possible victims, there are unessential information, some things we need to nail The most valuable information which can quickly swamp to kill this primitive form of may need to be backed up security budgets. abuse once-and-for-all,” says regularly throughout the day Moody, CISO for Palo Alto to reduce losses. While the Understanding the different Networks. “Back your data safest option, this is also the types of data stored in an up. If you didn’t live in fear most expensive and may not organization puts officials in of losing your data because be appropriate for less vital a better position to ensure backups were an arm’s reach data that can safely be backed everything is secured away, we would laugh at up nightly or perhaps weekly. appropriately. To help make the proceeding request for But these decisions aren’t those calls, security officers and funding, and simply restore.” always clear cut. As the FBI IT managers should coordinate points out, some advanced with a variety of stakeholders, For data restoration to be forms of ransomware can including members of the successful, backups must lock cloud-based backups risk and compliance staff and be done frequently, since performed by organizations department heads. any data created between seeking to continuously back- the last backup and the up systems in real time. Its Realize the importance infection will likely be lost. advice: “Ensure backups are of backup and recovery: Also, backup strategies don’t not connected permanently to Data prioritizations also prevent thieves from publicly the computers and networks will help the security staff disseminating personal they are backing up.”

16 Rethink identity and “Back your data up. If you didn’t live in access: Effective security fear of losing your data because backups policies must define how were an arm’s reach away, we would laugh organizations will manage identities and access. Pay at the proceeding request for funding, and particular attention to simply restore.” privileged accounts, such as Lucas Moody, CISO, Palo Alto Networks those that grant administrative rights to systems and data management, the FBI advises. For example, only people response options and be ready Consider consolidation: whose roles require it should if something similar happens in Government and higher have this special status, and your organization.” education leaders should policies should be in place to consider the security ensure these staff members SMU’s Finney says realistic benefits of centralizing their use the power only when plans should answer basic technology resources. IT necessary. Similarly, the FBI but vital questions, such as departments in both sectors recommends organizations who you report a security often are highly decentralized, take a granular approach when issue to, whether that’s a with separate staffs and configuring access controls, supervisor, the help desk or platforms serving individual giving employees access only a different resource. departments. This makes it to specific files they need and difficult to apply enterprise not giving them the ability to “I feel passionate that security policies across email alter the files or directories. these plans shouldn’t be platforms, network firewalls, aspirational,” he says. “Some office automation applications Validate your security plans: organizations write plans and other widely used Updating security policies to based on what they think they systems. Decentralization cope with malware is just the ought to be doing, which may of core infrastructure and start. Agencies and institutions not always reflect reality in systems can lead to security must regularly test and validate their organizations. The result gaps that hackers use as their response and recovery is that people don’t follow the entry points onto networks plans and revise them as plans and they just do what and eventually to access needed to stay current with makes sense to them when a vital information anywhere evolving threats. Because problem arises.” in the organization. responses involve a cross- section of stakeholders, including Compare yourself to others: Consolidating commonly many outside of IT, multiple Security experts also advise used services within a departments should organizations to benchmark central authority, while be represented when plans their security strategies against preserving departmental are updated. peers. For example, compare the control over specialized security budgets of similar public resources, provides security “Organize regular reviews sector entities, how frequently advantages. For example, and table-top exercises so they perform backups and what software patches can be everyone can practice their security training they offer. Any uniformly updated and assigned roles,” Lohrmann gaps revealed in the comparisons analytics can be applied says. “Include case studies can be used to lobby senior across the organization for of actual, recent attacks so executives and legislators for more detailed assessments everyone can walk through more resources. of prevailing traffic patterns.

17 SECURING THE FUTURE

Progressive governments and higher education institutions are modernizing their cybersecurity strategies with new technology, regular end-user training and solid incident response plans. These activities strengthen defenses against new and more sophisticated ransomware attacks. They also build a foundation for securing our digital futures.

“We need to get better at automating the prevention of ransomware before it becomes an issue,” says Moody. A solid strategy of perimeter malware prevention, supported by consistent sandboxing and complemented by endpoint exploit prevention, would all but place ransomware in the category in which it belongs. Extinct.”

RESOURCES FOR RESISTING RANSOMWARE

CyberCrime Support Network Ransomware: Unlocking the Lucrative Criminal (https://cybercrimesupport.org/) Business Model This public-private partnership coordinates federal, state and (https://www.paloaltonetworks.com/solutions/initiatives/ local resources to support cybercrime victims. ransomware) Palo Alto Network’s Unit 42 report discusses the rise of the Cyberplanner ransomware business model, how adversaries are refining (https://www.fcc.gov/cyberplanner) and improving their tactics, and what you can do to better Developed by the U.S. Federal Communications Commission, defend your organization against them. this online resource helps organizations create customized cybersecurity plans. Palo Alto Networks Cyber Range (https://www.paloaltonetworks.com/solutions/initiatives/ Cyber Threat Alliance cyberrange-overview) (https://www.cyberthreatalliance.org/) Interactive cyber defense training for IT network, A not-for-profit organization that shares the latest cyber- infrastructure, OT, DevOps and SecOps teams. threat information among public- and private-sector organizations to help defend against emerging threats. Palo Alto Networks Buying Guide for Next-Generation Firewalls DMARC (https://www.paloaltonetworks.com/products/secure-the- (https://dmarc.org/) network/next-generation-firewall/test-your--overview) The Domain-based Message Authentication, Reporting A whitepaper that explains how to find a next-generation & Conformance protocol authenticates email to protect firewall solution that meets your needs. against infections. Phishing Prevention Resources MS-ISAC (https://www.paloaltonetworks.com/products/innovations/ (https://www.cisecurity.org/ms-isac/) credential-theft-prevention) The multi-state information sharing and analytic center offers Extensive resources from Palo Alto to prevent credential- best practices, tools and threat updates for cyber-threat based attacks. prevention, protection, response and recovery activities.

No More Ransom! (https://www.nomoreransom.org/) A group of law enforcement organizations and IT security companies that offers a repository of keys and applications that can decrypt data locked by different types of ransomware.

18 A CHECKLIST FOR LEADERS

ARE YOU PREPARED?

Have you developed and executed an end-user awareness program? Have you reviewed/validated your server backup processes? Are your employees backing up all important files in a location that is not accessible to ransomware? Have you tested the process of recovering files from a backup? Have you reviewed network drive permissions to minimize the impact a single user can have? Does your plan include documented steps to reduce your attack surface, block known threats, and identify and prevent unknown threats? Do you have a documented incident response plan for ransomware?

CAN YOU PREVENT? Have you deployed network security devices, such as next-generation firewalls, that can identify executable files traversing the network and block or quarantine them? Have you alerted your staff to exercise extreme caution before clicking on a Windows executable file in an email message or web page? Do you have a system or solution in place that works to identify never-before-seen threats? This includes systems that leverage sandbox analysis to identify malicious behaviors in a virtual environment. Do you have advanced endpoint protection that stops the execution of malicious files before they start, and detects and prevents known and unknown malware, as well as known and unknown exploits, including zero-days? Have you protected your cloud from ransomware by locking down identity management, securing both the compute and storage layers, and protecting cloud services? Are you using techniques like forced multi-factor authentication throughout your network? Have you disabled macro scripts from MS Office files using AD Group Policy? Have you scrutinized your monthly patch management processes? HOW DO YOU RESPOND? If you have been breached by a ransomware attack: Work to identify the family of ransomware to see if a security vendor can de-encrypt your files. You can sometimes do this with information such as the adversary’s email address, the text of the ransom note or the bitcoin wallet address. Alternatively, you can use automated malware analysis or intelligence systems to identify the ransomware family.

Consider all options before paying — this should be the absolute last resort. Can you recreate the stolen data? Do you have an old version of the files that can be updated with new information? Does the data exist anywhere else, such as on a system that wasn’t impacted at another location?

19 Endnotes 1. https://www.cnn.com/2018/03/27/us/atlanta-ransomware-computers/index.html 2. https://www.denverpost.com/2018/02/21/samsam-virus-ransomware-cdot/ 3. https://www.darkreading.com/attacks-breaches/second-ransomware-round-hits- colorado-dot/d/d-id/1331197

Produced by: Government Technology is about solving problems in state and local government through the smart use of technology. Government Technology is a division of e.Republic, the nation’s only media and research company focused exclusively on state and local government and education.

www.govtech.com

Supported by: Palo Alto Networks is the next-generation security company, leading a new era in cybersecurity by safely enabling applications and preventing cyber breaches for government agencies and educational institutions worldwide. Built with an innovative approach and highly differentiated cyber-threat prevention capabilities, our game-changing security platform delivers security far superior to legacy or point products, safely enables everyday operations, and protects an organization’s most valuable assets.

Find out more at www.paloaltonetworks.com.

IMAGES PROVIDED BY: SHUTTERSTOCK.COM © 2018 e.Republic. All rights reserved.