With the steady stream of recent ransomware headlines from Colonial Pipeline to the Irish Health Service, it is clear that attempts to stem the wave of successful attacks are not working. The worry of waking up to a ransom message is what keeps many IT security managers and their bosses awake at night. For cybercriminals, ransomware is a low-risk, high reward activity, with a virtually unlimited supply of potential victims.
To make matters worse, the arrival of Ransomware-as-a-Service (RaaS) only serves to increases the scale and volume of attacks. RaaS greatly lowers the bar of criminal actors who can launch a ransomware attack, since the RaaS seller has already done the hard work of technically creating and designing the ransomware.
The traditional approach to preventing ransomware – or any cyber attack – is to try to stop the malicious threat actors getting in, using multiple layers of defence. But history tells us that it’s impossible to stop every determined and skilled hacker, particularly when humans are involved. Most ransomware starts with a phish, and you can do all the cyber training for staff that’s available, but there is still always the possibility, no, the probability that some employee, one day, will click on a malicious link to launch an attack.
So, it’s time to think differently and play the cybercriminals at their own game. We must rethink the traditional ‘castle and moat’ methods of protection and adopt a data-centric approach, where security is built into data itself. If all data is encrypted before a ransomware attack takes place, it is useless to the cybercriminal. They can’t decrypt the data and they can’t demand a ransom for data that is already encrypted.
But this strategy only works if all data is encrypted – not only are rest but also in transit and in use, on site, on a remote device or in the cloud.
Full disk encryption will protect data when it is at rest on a powered-off hard disk or USB stick, which is great if you lose your laptop but is of absolutely no use in protecting data against unauthorised access or theft from a running system.
Then there’s the data security silo, where sensitive information stored in specific locations is all encrypted. The problem here is that staff need to run reports, analyse data, make presentations, work on proposals, all extracting data from applications and data silos. And though the situation may gradually change, currently, most organisations deploy endpoints with local storage, where extracted, sensitive data is often saved. What is needed is universal file-level encryption where security and authentication is built right into each file for all data, all of the time.
A universal approach
Difficult? Scary? Hard to manage? Traditionally, encryption has been considered complex and costly to deploy, and detrimental to performance and productivity. That’s why another accepted norm when it comes to encryption is to simply encrypt only the ‘most important’ or ‘sensitive’ data.
But deciding what is important and sensitive and discovering where it is stored is no easy task. In a 2020 Ponemon report, 67% of respondents say discovering where sensitive data resides in the organisation is the number one challenge in planning and executing a data encryption strategy. And while data classification technology is often used to identify ‘important’ or ‘sensitive’ data, the report found that 31% cited classifying which data to encrypt as difficult.
Using data classification to drive security and encryption policy is highly problematic. If the classification is automated, then a proportion of data will be misclassified. But enabling user choice in setting classification leads to employees making decisions based upon what makes their life easier rather than on appropriate security measures. And any rules-based classification requires constant monitoring and maintenance as the business and the world around us evolve.
It is easy to argue that all data is sensitive. Cybercriminals increasingly patch together seemingly random pieces of data to create sophisticated phishing attacks or to construct digital profiles to use for identity theft. The common approach of high security only for the most important data is flawed simply because people are involved. If there were no disadvantages to implementing the highest levels of security for all data, why wouldn’t you do this?
Data encryption has been with us for decades, and modern encryption technology is available, delivering strong and persistent encryption which can be implemented without impacting users, applications, or business processes. It’s tried and trusted technology and should be used to protect all data – not just that which is classified as the most important. This way, classification can be used for what it’s good at, leaving data encryption to ensure that stolen information remains protected and useless to the thief.
By actively choosing to encrypt all data – whether it is stored, in transit, or in use – we are finally designing security into the only thing which has value – the data itself. In effect it’s reverse ransomware – criminals no longer have the ability to threaten an organisation by shutting down systems or publishing data, so the ransom leverage is null and void.
Contributed by Nigel Thorpe, technical director at SecureAge Technologies