Author: Elise Cocks
IT Asset and License Management – Director; Freddie Mac
What is Ransomware?
The FBI states that malicious software, known as malware, called Ransomware prevents users from accessing their computer files, systems, or networks and demands a ransom for their return. Regardless, ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.
Common attack vectors include:
- Email campaigns known as “phishing” where a malicious file or link embedded in an email deploys malware when clicked.
- Remote Desktop Protocol (RDP) vulnerabilities: cyber criminals obtain user credentials to access company systems and deploy malware internally.
- Software vulnerabilities: cyber criminals leverage weaknesses in common software to gain access to internal systems to deploy malware internally.
Ransomware has impacted many companies. News-worthy headlines show that large companies, small companies, and government entities have all fallen prey. During 2021, Ransomware has impacted Accenture, CompuCom, Kia Motors, the National Basketball Association (NBA), the University of Miami, and many local and national U.S.A. government agencies.
How can Ransomware affect your company?
If affected, your company is at risk of temporary or total data loss, resulting in your company unable to communicate internally, provide its services, or conduct business. Cyber criminals also threaten to release data to the public, which can cause reputational damage or loss of intellectual property.
What can be done to lower the risk of Ransomware?
To minimize the risk of Ransomware, teams across IT, Information Security, Data Governance and Enterprise Crisis Operations should join together to align on the following best practices:
- Backup data, systems, and configurations
- Enable multi-factor authentication to applications and systems
- Keep applications and systems updated and patched
- Maintain an up-to-date information security solution, including vulnerability detection and management, penetration testing, and staff training of information security best practices
- An incident response and business continuity plan that’s actively exercised
How can IT Asset Management play a role in a Ransomware response?
Chances are, your company has an overarching incident response plan and business continuity plan in place. But how can ITAM contribute to responding to a Ransomware attack?
ITAM practitioners have data at their fingertips. So, they can quickly help incident response efforts, and identify the scope of a potential attack. ITAM teams are uniquely poised to ensure that end users can gain access to functioning endpoints in the event of a Ransomware attack that renders endpoints unusable. They can and do it in a way that minimizes risk through proper asset tracking and by maximizing cost by leveraging the right assets. ITAM also has access to which users have which software or files installed, who has access to download licenses and software packages, and can coordinate blocking access to infected files.
A recommendation for how many computers to have on hand specifically for a Ransomware event is 10% of your end-user population. This gives you a head start to build computers for replacement and receive enough back from those you replaced.
Furthermore, if you’re managing your imaging and inventory with a third party, work out the plan for how much reserve stock you need, SLAs to migrate an affected user base if the worst-case scenario is that all end users in your company need to manage shipping to remote vs onsite users.
Based on the number of impacted endpoints, the amount of stock you have on hand to replace them, and the rate at which you can replace those endpoints, make sure you have a formula for how quickly ITAM can contribute to the Ransomware response plan.
What improvements can ITAM adopt to automate or otherwise speed up the process?
The less dependency you have on your physical onsite network, the less dependency you have on physically replacing the physical endpoints. The ability to conduct a remote wipe and remote reimage could eliminate the need for physical replacements. This creates a self-service, in-place solution.
Indeed, other solutions that eliminate reliance on the corporate physical endpoint are Virtual Desktop Infrastructure or Desktop as a Service Solution in which end users can securely access virtual desktops from any computer they have at home.
In conclusion
IT Asset Management should play an important role in any company’s incident response and Ransomware Response plan. In any case, a well-versed ITAM practitioner should look for ways to contribute to a response. You should also anticipate the scenarios in which Ransomware can present itself. Knowing your partner teams in software distribution, Information Security, end-user group policies, and the technology and security stack is helpful in efforts to predict likely attack vectors and find ways to respond to and protect against the threat.