Don’t be a ransomware victim

Ransomware is making the news more and more, and I suspect this will continue to happen for the next few years at least. Attackers mostly exploit neglect and a lack of expertise, and it’s a sure bet that their sights will turn to the cloud in time.

One of the reasons we’re not seeing more attacks within public clouds is that they are well maintained and updated and have much better security than their on-premises counterparts. However, as most security experts will tell you, nothing is 100% secure, and cloud security still has some evolving to do before it’s close to optimized.

But we can’t wait for cloud security to become perfect. The quest today is to find the best practices to prevent ransomware and other attacks on cloud-based systems. It comes down to find, respond, and recover.

Find. Security monitoring is the best defense against ransomware. This includes detecting attack attempts as well as monitoring other ways ransomware can get into your cloud-based systems, such as phishing emails.

Finding should be proactive. Leverage your cloud provider’s native security systems to not only set up defenses, but to actively monitor all systems by looking for things such as failed log-in attempts, CPU and I/O saturation, and even suspicious behavior by authorized users. Once a threat is detected, respond.

Respond. The response should be automated. If you’re sending texts or emails to security admins, it’s likely too late. Automated systems can lock out certain suspect IP addresses and automatically kill processes that are behaving suspiciously. Other actions could include forcing password changes to accounts to prevent cloud account takeover based on monitored activity. Even initiating backups in case the attack is successful, to be prepared to move quickly to recovery.

There is a human element to responding, including activating a well-trained response team to follow a set of preplanned processes. This should include communicating with others interacting with the cloud-based systems, such as customers and suppliers, as to their risks and courses of action.

Recover. Ransomware is so dangerous because there is no way to recover to a former state; this is why victims pay ransoms.

You need to have some way to recover to a former state, including all data and processes needed to support the business. Some businesses may be okay with losing an hour or so of data. Others need an active/active approach where there is no data loss and the end users may not even know that the switch to backed-up data occurred.

Again, automated backup and recovery systems, either native or third party, are the best way to go here. They need to be part of the automated response processes and kept in separate security domains so they are not compromised at the same time as the primary systems.

This is simpler to explain than to deploy. However, as more enterprises move to the cloud, the ransomware attacks will follow. Setting up security systems and processes slows down migration and is a huge cost and hassle, but using the public clouds means taking your security game to the next level. Nobody wants to be a victim.