Ransomware is becoming more costly, and the sophistication of attacks is only getting worse. Here are some helpful tips to not only prevent attacks, but to minimize the damage in case of a breach.
From my own perspective, leading attacks such as WannaCry and CryptoLocker have provided a wake-up call in the past year, showing an ability to bring down data systems on an international scale. Even major threats are dwarfed by the sheer number of lesser-known releases, which can now be purchased on the dark web and implemented at will with little or no technical expertise.
Fortunately, there are many simple practices to help you protect against ransomware, augmented by leading-edge technologies such as cloud-based, automated storage; backup/recovery tools; and advanced firmware protection measures such as Silicon Root of Trust (SRT). But before finding a solution, you must first understand the problem.
Outlining the ransomware threat
No one is immune from ransomware attacks. As enterprise infrastructure continues to permeate the cloud and push all the way to the IoT edge, critical data routinely flows beyond the traditional data center firewall into uncharted waters. And even if service providers build iron-clad security guarantees into their service-level agreements, the sheer number of hand-offs from one platform to another introduces gaps in the security framework that can be exploited by increasingly sophisticated, sometimes even state-sponsored, hacking organizations.
While much of today's malicious code is targeted at key victims, a significant portion operates randomly; load a particular web page or click on a link that appears to be genuine and you become infected.
While it may be tempting to simply knuckle under the pressure and pay the ransom, this by no means guarantees the return of your data. In fact, about 20 percent of businesses that give in to hackers' demands do not get their data back. And while it is difficult to be sure how effectively a given hacker organization tracks its success rate or shares that data online, common sense suggests that, if you routinely pay up, you will become victimized at a higher rate than those who stand firm.
The damage of a potential attack should also be considered, and can be weighed in many different ways. But in general it comes down to three key interrelated factors:
- The immediate financial cost of paying the ransom (which in some cases can amount to millions of dollars) or the subsequent cost of not paying
- IT disruption, which not only puts critical data, including customer records, at risk, but can impact everything from internal and external communications and supply chain processes to financial systems and key customer support capabilities
- A tarnishing of your corporate brand. A business can only succeed if it can maintain the trust of its customers, and nothing erodes that trust faster than the fear of being victimized simply by buying a product or using a website
Clearly, the time to take action against ransomware is now. But what, exactly, should you do to protect yourself?
Protecting data through avoidance
As mentioned above, the distributed nature of modern infrastructure makes it all but impossible to build a "Fortress Enterprise" within your corporate firewalls. In fact, this approach is already providing inadequate protection for data that is closely guarded within your local data centers. Breaches have become too sophisticated, and reliance on security strategies aimed simply at keeping the bad guys out merely exposes data to unencumbered malfeasance once the firewall has been breached.
Instead, the modern approach is to avoid contamination as much as possible by implementing a wide range of preemptive measures to identity and hopefully neutralize bad code.
We can accomplish this in many ways, starting with training our knowledge workers to spot and report the numerous phishing scams that are most commonly used to install ransomware on shared data infrastructure. These can range from fake emails and texts that contain links with malicious code to sudden pop-ups pretending to be routine updates to corporate software, or even actual updates that have been compromised without a vendor's knowledge.
At the same time, we should clearly explain to employees the proper procedures to follow in the event of an attack. Sometimes, rapid action at the outset can prevent malware from reaching shared resources. But when it can't, proper lines of communication are critical, which means we must establish them long before the ransomware attack has begun.
Other forms of avoidance we can implement include regular updates and patches to software, since many of these changes are aimed specifically at preventing constantly evolving security threats; and conducting regular threat analyses and penetration tests to identify weak spots in both data infrastructure and operations. Let me note that the purpose of these tests is not to "pass," which only engenders a false sense of security, but to identify failures so they can be corrected.
Mitigating the effects of an attack
By accepting the fact that no preventative security measure is foolproof, we can then embrace the next aspect of data protection: mitigation. As long as breaches are inevitable, we might as well make it as difficult as possible for hackers to derive any real benefit from their efforts.
There are many ways we can do this, of course, but the leading measure is to institute a reliable and robust means of data restoration. Perhaps the most trusted approach is the 3-2-1 method: storing three copies of all data on two different types of media, on at least one offsite facility. This makes it extremely difficult for the ransomware attack to cut you off from your data for a significant amount of time, while also ensuring that recovery objectives can be met quickly and without a significant amount of management overhead.
A key aspect of this solution is to transform backup into a dynamic, continuous, and largely automated operation rather than a burden carried out only once in a while. You should conduct data transfers to backup sites on a daily basis at minimum, and implement regular testing of both recovery systems and processes on a routine operational basis. At the same time, you should also establish a working backup and recovery hierarchy within your knowledge workforce, with responsibilities and clear lines of communication drawn up ahead of time. The last thing you need in the event of a major data compromise is for your team to start playing the blame game when you should be focused on getting data and systems back online as quickly as possible.
It should be noted, however, that simple snapshots and replication measures are not enough. While these tools are adequate for normal file loss or corruption, and even platform failure and power outage, a full ransomware attack can only be mitigated properly through full disk backup and tape/cloud archiving to secondary storage infrastructure. Most ransomware is sophisticated enough to take down primary storage where snapshot and replication solutions reside, but it would take an incredibly sophisticated attack to infiltrate multiple storage environments on a geographically distributed footprint.
Boosting server infrastructure security
Clearly, protecting against today's ransomware cannot be done effectively with piecemeal solutions. What you need is an integrated platform that meets many key requirements, including:
- The ability to prevent ransomware from penetrating systems in the first place
- The ability to meet stringent recovery point and recovery time objectives
- Simplified administration and management
- Optional cloud backup
- Integration with legacy security and data protection platforms
HPE's approach to fulfilling these mandates can be seen throughout our data protection portfolio, in solutions such as the HPE StoreOnce platform , HPE Recovery Manager Central (RMC), and HPE Cloud Bank Storage. The StoreOnce Catalyst data protection protocol acts as a shield against outside penetration, effectively isolating data from traditional lines of communication and command sets that are typically leveraged by attackers. Even in the event of a physical-layer assault, the StoreOnce Catalyst data store is hidden behind the very API that also simplifies and enhances the backup and duplication process. At the same time, StoreOnce Catalyst integrates with existing backup and recovery software, as well as native database protection tools.
Meanwhile, high-speed, flash-enabled applications benefit from the flash storage integrated backup capabilities of HPE RMC, which uses StoreOnce as its backup target for mission-critical data. The software uses multiple block-based streams for reliable backup only when data values have changed. This provides for rapid, continuous replication while at the same time enabling quick restoration to meet even the most aggressive recovery requirements. HPE RMC also integrates with the HPE 3PAR StorServe Storage Management Console (SSMC), to allow data protection policies to be established and maintained under a common interface.
Connecting all of this to HPE Cloud Bank Storage allows you to securely move data across public, private, and hybrid clouds for long-term retention and reliability. The platform delivers high scale at an extremely low cost, with upward of 100 PB of storage available for a fraction of a penny per month. HPE StoreOnce also delivers investment protection and helps eliminate lock-in with the choice of a physical or software-defined deployment, flexible as-a-service consumption, and broad and deep integration across a rich ecosystem of market-leading ISV partners.
Adding Silicon Root of Trust to your arsenal
One of your best allies in the war against ransomware is a new hardware-validated boot process from HPE called Silicon Root of Trust (SRT). With this approach, your IT systems can only be started using code from a secure source that cannot be updated or modified in any way. When that code is combined with a cryptographically secure signature, hackers have no easily accessible gaps to exploit, and the entire server state remains secure as the initial "root of trust" element proceeds to test all remaining elements in the chain.
HPE has implemented SRT under its Integrated Lights Out (iLO) firmware solution, which embeds an immutable fingerprint on the processor layer to ensure that all firmware code is valid and not compromised. During normal operations, it performs regular run-time checks to search for compromised code or malware, creating an immediate audit-log alert if any unauthorized changes are detected. From there, it is a simple matter to recover the last verified state of firmware securely and automatically, directly from non-volatile flash memory.
Staying vigilant with the help of a partner
It would be nice to think that, with today's defensive technology, ransomware fiends would just give up and find more productive uses for their talents—but that isn't likely to happen. From my experience, there is every reason to believe that malicious code will become more sophisticated and more destructive as time goes by, which is why we need to put your security posture on a path of continual improvement and refinement.
The best way to do this, of course, is to partner with a leader in the field, one who knows the nature of the threat and how it is likely to evolve going forward. In a data-dependent world such as ours, there is no substitute for continued vigilance.
As a first step, please download our latest white paper on how to implement cloud-based data protection.
Meet Infrastructure Insights blogger Simon Watkins, Worldwide Product Marketing Manager, HPE 
Infrastructure Insights
Hewlett Packard Enterprise
TechExperts
Our team of HPE and other technology experts shares insights about relevant topics related to artificial intelligence, data analytics, IoT, and telco.
