勒索软件
5 steps to bootstrap your organization’s cyber defenses without security expertise
无需安全专业知识即可引导组织的网络防御的5个步骤
Tune out news reports that blame victims for improperly defending against ransomware. They are based on the fallacy that sound security is accessible.
调出新闻报道,谴责受害者对防御勒索软件的不当防御。 它们基于可访问声音安全性的谬论。
The cybersecurity community too often treats ransomware incidents through a flawed lens of idealism when blaming organizations for poor cyber defenses. For leaders in most organizations, cybersecurity is overwhelming because they simply lack the expertise, time, or resources to filter through the noise. My 20+ years of experience indicates that our perspective on the problem is critically limited because security professionals generally only work with well-resourced enterprises that can afford our services. Most organizations do not fit that profile, meaning that even the most basic technical expertise is largely out of reach.
当指责组织提供不良的网络防御能力时,网络安全社区经常通过有缺陷的理想主义视角来处理勒索软件事件。 对于大多数组织的领导者来说,网络安全是压倒性的,因为他们只是缺乏过滤噪声的专业知识,时间或资源。 我20多年的经验表明,我们对这个问题的看法受到严格限制,因为安全专业人员通常只与能够提供我们服务的资源丰富的企业合作。 大多数组织都不适合这种情况,这意味着即使是最基本的技术专业知识也基本无法达到。
Consider that, according to the JP Morgan Chase Institute, 88% of US businesses in 2013 had less than 20 employees, with nearly 60% of those recording annual revenues of less than $100K. Compare those statistics against reports about a 2019 Robert Half survey that found CIOs of mid-size businesses were seeking an ideal technical support employee to end-users ratio of 1:64. Furthermore, a December 2019 Salary.com report estimated that the average salary for a security administrator in the US is $71K.
请考虑一下,根据JP Morgan Chase Institute的数据 ,2013年美国88%的企业员工人数不到20人,其中近60%的企业年收入不到10万美元。 将这些统计数据与有关2019年Robert Half调查的报告进行比较,该报告发现中型企业的CIO正在寻求理想的技术支持员工与最终用户的比例为1:64。 此外,2019年12月Salary.com的一份报告估计,美国安全管理员的平均工资为7.1万美元。
In short, a vast majority of US businesses have less than one technical support employee with little-to-no security expertise.
简而言之,绝大多数美国企业的技术支持员工不到一名,几乎没有安全专门知识。
Rather than be overwhelmed by the cost and experience needed to follow most expert recommendations, take a do-it-yourself approach to improve your cyber defenses at a pace that your organization can support. In five steps, you can help your team build competency in the areas most important to your organization and more efficiently apply your limited resources against the areas where you most need help. Your risk level will still be high, but a little progress can go a long way to building resilience against ransomware attacks.
采取自己动手的方法来以组织可以支持的速度改善网络防御,而不是因遵循大多数专家建议所需的成本和经验而感到不知所措。 通过五个步骤,您可以帮助您的团队在对组织最重要的领域中建立能力,并更有效地将有限的资源用于您最需要帮助的领域。 您的风险级别仍然很高,但是在建立抵御勒索软件攻击的抵御能力方面,取得一点进展可能会大有帮助。
步骤1:与核心团队互动 (Step 1: Engage Your Core Team)
Most security professionals would rightly suggest conducting a comprehensive inventory of the organization’s systems and services as part of a routine Business Impact Analysis. I have found that conducting such an all-encompassing assessment action from the start is counter-productive in small organizations with limited security expertise because it tends to promote adversity and prohibits rapid improvement. Instead, I suggest that resource-constrained organizations be more agile and approach ransomware defense in a collaborative, incremental process that emphasizes rapidly achievable goals.
大多数安全专业人员会正确建议对组织的系统和服务进行全面的清点,作为常规业务影响分析的一部分。 我发现,从一开始就进行这种无所不包的评估行动在安全专业知识有限的小型组织中适得其反,因为这往往会促进逆境并阻碍快速改进。 相反,我建议资源受限的组织应更加敏捷,并在协作的,渐进的过程中采用勒索软件防御,强调快速实现的目标。
Drawn from a leading cybersecurity practice in large enterprises, the best way to begin enhancing your ransomware defenses is to conduct a simple discussion exercise to determine what services your organization most depends on and prioritizing early actions against those most critical needs.
从大型企业的领先网络安全实践中汲取经验,开始增强勒索软件防御的最佳方法是进行一次简单的讨论,以确定您的组织最依赖的服务,并针对这些最关键的需求确定优先措施。
To get started, the business or mission lead should identify the 3–5 people that are most critical to service continuity. Start by asking, “Who is the first person to call if the organization were suffering a cyber attack?” Regardless of role or position on the organization chart, there is usually a small number of staff members who everyone trusts to fix problems. They probably know the most about how the organization’s capabilities work and the dependencies for maintaining proper function, making them central to any defensive action. After that, schedule a few hours to meet.
首先,业务或任务负责人应确定对服务连续性最关键的3-5个人。 首先问: “如果组织遭受网络攻击 , 谁是第一个打电话给谁?” 不管组织结构图中的角色或职位如何,通常只有少数每个人都信任的员工可以解决问题。 他们可能最了解组织的功能是如何工作的以及维护适当功能的依赖性,从而使它们成为防御措施的核心。 之后,安排几个小时见面。
步骤2:优先处理关键服务 (Step 2: Prioritize Critical Services)
Prioritization is not easy, especially as the lead will have to negotiate with business and system owners who can all present reasons for their systems being the highest priority. Under ideal conditions, I would suggest hiring an expert cybersecurity facilitator to conduct the meeting, capture results, and report out. Doing so provides independent support for difficult decisions. But, when resources are tight, the lead can use this simple structure to guide the discussion:
确定优先级并非易事,特别是因为领导者必须与业务和系统所有者进行谈判,而业务所有者和系统所有者都可以提出将其系统置于最高优先级的理由。 在理想条件下,我建议您聘请专业的网络安全服务人员来主持会议,获取结果并进行报告。 这样做为困难的决策提供了独立的支持。 但是,当资源紧张时,领导者可以使用这种简单的结构来指导讨论:
- Agree on the top three criteria for service criticality (e.g. financial impact, necessary timeliness of service delivery, # of users). 同意服务重要性的前三个标准(例如,财务影响,服务交付的必要及时性,用户数量)。
- Have each team member identify what they believe are their most critical services. I find it helpful to start with an exercise where each member writes the service on a sticky note and puts it up on a wall. 让每个团队成员确定他们认为最关键的服务。 我发现从练习开始是有帮助的,在练习中,每个成员将服务写在便笺上并放在墙上。
- Prioritize services based on the agreed on criteria. To prevent verbal arguments right off the bat, I like to use a technique where each participant is given some number of “priority points” to distribute amongst the identified services (one point for each criterion). Either restrict them from assigning points to the services they self-identified, or give them an extra set of points to distribute outside of self-identified services. The participants then go to the sticky notes and distribute points across the identified services. After completing that exercise, the lead tallies the results and ranks the services by number of points. 根据商定的标准对服务进行优先级排序。 为了避免立即进行口头辩论,我喜欢使用一种技术,即为每个参与者分配一定数量的“优先点”,以在确定的服务之间分配(每个标准一个点)。 要么限制他们将点分配给他们自己识别的服务,要么给他们额外的点集以分发到他们自己识别的服务之外。 参与者然后转到便笺并在所标识的服务之间分配积分。 完成该练习后,销售线索会记录结果并按分数对服务进行排名。
- Determine who in the room has system responsibility for each critical service, starting with the top priority. If no one has direct responsibility, assign a representative to follow-up with the appropriate service owner. 从最高优先级开始,确定会议室中谁负责每项关键服务。 如果没有人直接负责,请指派一名代表跟进适当的服务负责人。
The lead should then capture the prioritization and system responsibility to establish an initial cyber defense improvement plan.
然后,主管应掌握优先级和系统责任,以建立初始的网络防御改进计划。
步骤3:文件系统详细资料 (Step 3: Document System Details)
It’s helpful to take a little bit of time to capture some key information about the technology systems and business processes that support the highest priority services. That way, the team doesn’t need to repeat the activity when accounting for inevitable change over time. It shouldn’t be onerous or time-consuming to capture important initial details, but I recommend establishing a simple standard format that will promote consistency and reduce potential future confusion. For ransomware defense, I suggest that the minimum information that system owners should capture includes:
花一点时间捕获有关支持最高优先级服务的技术系统和业务流程的一些关键信息将很有帮助。 这样,当考虑到一段时间内不可避免的变化时,团队就无需重复活动。 捕获重要的初始细节不应繁重或耗时,但我建议建立一种简单的标准格式,以促进一致性并减少将来可能出现的混乱。 对于勒索软件防御,我建议系统所有者应捕获的最少信息包括:
System Name: The commonly understood name for the system.
系统名称 : 系统的常用名称。
System Owner: Name of the person within the organization responsible for the system’s function. This may be different than the service owner determined in Step 2.
系统所有者 :组织内负责系统功能的人员名称。 这可能与步骤2中确定的服务所有者有所不同。
System Priority: A rating of how critical the system is for supported services. This can inherit the rating of the highest priority service associated with the system or a rating based on downtime tolerance for the system (minutes, hours, days).
系统优先级 :评估系统对于支持的服务的关键程度。 这可以继承与系统关联的最高优先级服务的等级,也可以继承基于系统的停机时间(分钟,小时,天)的等级。
Services Supported: A list of the services that rely on the system to function.
支持的服务:依赖系统运行的服务列表。
Data Storage Location: Identifies where the system data is stored.
数据存储位置 :标识系统数据的存储位置。
Data Storage Owner: Identifies who is responsible for ensuring that the system data is available for use by the system.
数据存储所有者 :标识谁负责确保系统数据可供系统使用。
Data Backup Location: Identifies where the system data is backed up to.
数据备份位置 :标识系统数据的备份位置 。
Data Backup Frequency: Describes how often the system data is backed up.
数据备份频率 :描述系统数据备份的频率 。
I have found a variety of templates available online that the team can use to capture the information. From the nice Business Impact Analysis Template for the National Institute of Standards and Technology (NIST) Special Publication 800–34 (SP 800–34), I suggest focusing on Section 3.1 — Determine Process and System Criticality and Section 3.2 — Identify Resource Requirements. Another good template was produced by the state of Oregon, with Section 2 — Key Business Processes and Section 5 — Business unit Inter-dependencies being my suggested starting points.
我发现在线上提供了各种模板,团队可以使用这些模板来捕获信息。 从美国国家标准技术研究院(NIST)特殊出版物800-34( SP 800-34 )的出色业务影响分析模板中,我建议重点关注第3.1节“确定流程和系统的关键性”和第3.2节“确定资源需求”。 俄勒冈州还制作了另一个好的模板 ,第2节“关键业务流程”和第5节“业务部门相互依存”是我建议的出发点。
步骤4:备份系统和数据 (Step 4: Backup Systems and Data)
I recently argued that effective ransomware defense for most organizations begins and ends with backups. Unfortunately, this step is where things get technical, the point where most non-technical folks begin to get overwhelmed. So, I encourage the leads to take a deep breath and remember that the initial objective is not perfection, but rather improvement. Even small incremental changes to system backup processes will pay dividends should an attack occur.
我最近争论说, 对大多数组织来说 , 有效的勒索软件防御始于备份 。 不幸的是,这一步使事情变得技术化,这是大多数非技术人员开始不知所措的地方。 因此,我鼓励潜在客户深呼吸,并记住最初的目标不是完美,而是改善。 如果发生攻击,即使对系统备份过程进行很小的增量更改也将带来好处。
There are two primary scenarios for backing up system data assets that support the high priority services:
备份支持高优先级服务的系统数据资产有两种主要方案:
System Data is Managed Within the Organization. When the system is managed from within the organization, it becomes easier to ensure that the system data is backed up regularly. Ideally, the system owner would backup the data frequently, but the first step is to figure out how to backup the system data. Most cybersecurity professionals would rightly recommend that an offline backup to an external hard drive is the best way to be sure that the organization can recover the system from a ransomware attack. For those organizations that may not have the resources readily available to procure the necessary hardware, I argue that a cloud-based backup represents a good start. In either case, the Global Cyber Alliance includes pointers for activating basic system backups.
系统数据在组织内部进行管理 。 当从组织内部管理系统时,确保定期备份系统数据变得更加容易。 理想情况下,系统所有者会经常备份数据,但是第一步是弄清楚如何备份系统数据。 大多数网络安全专家会正确地建议将脱机备份到外部硬盘驱动器是确保组织可以从勒索软件攻击中恢复系统的最佳方法。 对于那些可能没有足够的资源来购买必要的硬件的组织,我认为基于云的备份是一个好的开始。 无论哪种情况, 全球网络联盟都包含用于激活基本系统备份的指针。
System Data is Managed Outside of the Organization. When the system data is hosted in a cloud repository for an internally-managed web application or the system is managed by an external service provider, the organization will likely be more restricted by how it can back up the data. For cloud-hosted repositories, the data is probably much more difficult to lose in a ransomware attack and downloading it could be costly. My suggestion is to leave it be initially and focus on other systems that are more susceptible to ransomware damage. For a system managed by an external service provider, while backups should be the responsibility of the provider, the internal system owner should have a regular discussion with the provider about how the system data is backed up. The MassCyberCenter made available a nice questionnaire that can help start a constructive conversation with service providers (Disclaimer: The questionnaire was developed under a state municipal security initiative that I support). I have posted the questions at the end of this post.
系统数据在组织外部进行管理 。 当系统数据托管在内部管理的Web应用程序的云存储库中或系统由外部服务提供商管理时,组织将很可能受到备份数据的方式的限制。 对于云托管的存储库,在勒索软件攻击中丢失数据可能要困难得多,并且下载数据的成本可能很高。 我的建议是将其保留为一开始,而专注于其他更容易受到勒索软件破坏的系统。 对于由外部服务提供商管理的系统,虽然备份应由提供商负责,但内部系统所有者应与提供商定期讨论如何备份系统数据。 MassCyberCenter提供了一个不错的调查表 ,可以帮助与服务提供商展开建设性对话(免责声明:该调查表是在我支持的州市政安全计划下开发的)。 我已经在帖子末尾发布了问题。
步骤5:提升勒索软件防御基准 (Step 5: Elevate Your Ransomware Defense Baseline)
The lead should establish a shared repository for maintaining system documentation and prioritization so that the whole team can easily access and update the status of system backups. Then, the team should establish a regular check-in protocol to help maintain momentum and steadily improve your organization’s ransomware defenses, repeating these steps to work down the service priority list and confirm that all of the system data that is necessary to recover service integrity in the event of a ransomware attack is backed up. This cycle will also enable the group to more quickly identify when system data backup needs change.
主管应建立一个共享存储库,以维护系统文档和优先级,以便整个团队可以轻松访问和更新系统备份的状态。 然后,团队应建立常规的签入协议,以帮助保持势头并稳步改善组织的勒索软件防御,重复这些步骤来确定服务优先级列表,并确认恢复服务完整性所需的所有系统数据。备份勒索软件攻击的事件。 该周期还将使该小组能够更快地确定何时需要更改系统数据备份。
As the team gets more practiced, the lead can then use this cycle to enhance defenses in other areas, steadily building competency and confidence in the organization’s ability to respond to and recover from cyber attacks.
随着团队的实践能力的增强,领导者可以利用这一周期来增强其他领域的防御能力,从而逐渐增强对组织响应网络攻击和从网络攻击中恢复能力的能力和信心。
有关服务提供商备份的问题 (Questions About Backups for Service Providers)
Can you help us implement an effective backup strategy that meets the standards/requirements outlined below, including:
您能否帮助我们实施有效的备份策略,以满足以下概述的标准/要求:
- A clear definition of what is being backed up and where it is being stored 明确定义要备份的内容以及存储的位置
- Appropriate backup retention span and frequency 适当的备份保留期限和频率
- Annual testing of successful restore 年度测试成功还原
- Physical and virtual access to online backups are restricted to authorized personnel only 对在线备份的物理和虚拟访问仅限于授权人员
- Backups are air-gapped and ransomware resistant 备份无漏洞且可抵抗勒索软件
- Awareness of any Personally Identifiable Information (PII) 意识到任何个人身份信息(PII)
- Use of backup encryption where applicable 在适当情况下使用备份加密
- Backups include not only data but any relevant images, policies etc. 备份不仅包括数据,还包括任何相关的映像,策略等。
- Documentation of the backup and restore strategy 备份和还原策略的文档
Can you help us understand, document, and implement appropriate access/permissions to the data and systems of our organization?
您能否帮助我们理解,记录和实施对组织数据和系统的适当访问/权限?
- Have we minimized the number of employees who have administrative rights to machines? 我们是否已将拥有机器管理权限的员工人数减至最少?
- Do we limit access to files, folders and applications only to those for whom it is necessary for their job? 我们是否仅将文件,文件夹和应用程序的访问权限限制为需要工作的人员?
- Is there a protocol for removing outdated accounts, especially those with administrative privileges? 是否有用于删除过期帐户(尤其是具有管理特权的帐户)的协议?
- Have we changed default passwords, especially for accounts with administrative rights? 我们是否更改了默认密码,特别是对于具有管理权限的帐户?
- Do we have documentation of our access controls? 我们有访问控制的文档吗?
Looking for someone to help empower your team bootstrap cyber defense without judgement? Contact me on LinkedIn or Twitter.
是否正在寻找可以帮助您的团队增强网络防御能力而无需做出判断的人? 在 LinkedIn 或 Twitter上 与我联系 。
翻译自: https://medium.com/swlh/operationalize-your-team-for-continuous-ransomware-defense-98c270c85cd6
勒索软件
2762
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
