What the Federal Government is Doing to Fight Ransomware in 2022

Posted on
ransomware
ransomware

Among the cybersecurity threats that are escalating in 2022, ransomware attacks remain one of the most damaging and impactful to federal agencies and contractors. According to Verizon’s yearly Data Breach Investigation Report (DBIR), this year has seen ransomware incidents increase by 13%, which is more growth than the past 5 years combined.

The cost of ransomware is high, with many cyber actors embracing a double extortion model which extracts twice the payment from their victims – but cost is far from the biggest concern for the U.S government. Foreign adversaries – including China, North Korea, and Russia – are increasingly using ransomware against organizations in the West: sometimes, they even work together.

Government Initiatives and New Security Burdens

With all that being said, ransomware is a risk that organizations in the public and private sectors should be worried about: not only is it capable of driving businesses into bankruptcy, but it also represents a national security threat that can cripple critical infrastructure and expose classified information to nation state actors.

Fortunately, 2022 has also brought multiple initiatives across agencies and branches of the U.S government which will help curb the incidence of ransomware and keep businesses safe for years to come. Some will also impose new security burdens which government contractors will have to apply if they want to stay compliant.

In this blog post, we will share five recent developments in legislation and policy while explaining their implications for ransomware and compliance.

1.  New Cyber Reporting Requirements

In the aftermath of a cyber incident or data breach, organizations have an ethical responsibility to inform their customers – sadly, that doesn’t always happen in a timely matter. But when a ransomware attack occurs against critical infrastructure, public safety is at stake, and rapid disclosure is all the more urgent.

In March, the ‘Cyber Incident Reporting for Critical Infrastructure Act of 20221 (CIRCIA) was passed into law – under CIRCIA, critical infrastructure companies will be required to report any substantial cybersecurity incidents within 72 hours, and any ransom payments within 24. While the precise scope of covered entities remains to be determined, it will likely include sectors like:

      • Critical Manufacturing
      • Financial Services
      • Energy
      • The Defense Industrial Base (DIB)

Ultimately, the new cyber reporting requirements will help law enforcement agencies to gather intelligence on attack patterns, track the activity of advanced persistent threat (APT) groups and respond to cyber emergencies in a timely way.

1 The official source for CIRCIA is the Consolidated Appropriations Act of 2022; for readers’ convenience, the PDF linked above contains only the portions of the Act which comprise CIRCIA.

2.  The Joint Ransomware Task Force

Within the text of CIRCIA, legislators proposed the formation of a ransomware task force, which was formally announced by Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly on the 20th of May.

The task force – which aims to combine cybersecurity initiatives across multiple U.S agencies – will be co-headed by the Federal Bureau of Investigation (FBI), allowing law enforcement to collaborate with CISA more effectively.

Today, government agencies suffer from entrenched barriers to information sharing that hinder cybersecurity efforts. Better collaboration will be a major boon, allowing agencies to share and react to intelligence more quickly while building attack profiles that will help businesses to defend themselves against advanced ransomware strains that evade popular detection methods.

3.  CMMC 2.0 and Updated CMMC Timeline

Following the release of Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense (DoD) is now working with federal policymakers on an implementation timeline that could see CMMC enforced on DoD contracts by May of 2023.

CMMC 2.0 seeks to protect controlled unclassified information (CUI) by requiring federal contractors to undergo third-party assessment for cybersecurity compliance before they can be eligible for most Defense contracts. For less sensitive “Level 1” contracts, the DoD will accept self-assessment – for more sensitive “Level 3” contracts, organizations will need a more official government assessment.

By enforcing cybersecurity controls proportional to the sensitivity of each contract, CMMC 2.0 will not only encourage better security throughout the DIB – it will also ensure that the most sensitive CUI is only shared with contractors who are ready to defend it against a variety of threats, including ransomware.

4.  Zero-Trust Legislation and Implementation

In 2021, the ‘Executive Order on Improving the Nation’s Cybersecurity’ instructed federal agencies to adopt zero-trust security models to defend their IT infrastructure. Shortly afterwards, CISA and the Office of Management and Budget issued documents outlining a zero-trust maturity model (ZTMM) to help agencies comply with the executive order.

The road ahead is difficult, especially with many federal organizations still relying on outdated, legacy IT architecture. But zero-trust adoption is well underway, and – difficulties notwithstanding – 6 out of 10 federal IT officials believe their agencies will be able to meet the challenge. More than 75% say they already have some form of zero-trust security policy in place.

From the perspective of reducing ransomware attacks, this is good news: zero-trust architecture won’t render organizations invulnerable to cyberattacks, but it will bring about significant transformation by forcing organizations to continually validate user identities, monitor apps, and accelerate modernization.

Most importantly – with zero-trust in place – it won’t be enough for ransomware actors to “get past the door”: they will be faced with multiple barriers to lateral movement and penetration that will halt many in their tracks.

5.  Updates to NIST’s Cybersecurity Framework (CSF)

The National Institute for Standards and Technology (NIST) is updating its cybersecurity framework (CSF), a set of standards that have guided cybersecurity efforts in both the public and private sectors since it was first issued in 2014. In February of this year, NIST requested comments for an upcoming update to CSF, prompting an outpouring of responses from industry experts.

Recently, DoD sources have stated that they want better risk-management guidance in the next version of the CSF framework, to align it with another NIST special publication (SP), 800-30, ‘Guide for Conducting Risk Assessments’. Aligning the two NIST resources would help organizations who are currently following CSF to develop a better understanding of risk and risk factors that lead to data breaches, ransomware attacks, and more.

Whether NIST implements this advice or not, an update to CSF could not come at a better time – cyber tactics have developed rapidly since the last update was released in 2018, and organizations are in need of guidance. According to the agency, a majority of respondents to its request for comment stated they find CSF to be a “useful model for organizations seeking to identify, assess, address, and manage cybersecurity risk” – it can only remain useful as long as it remains up to date with leading risk sources.

Cyber Expertise to Help You Stay Compliant

Compliance with federal cybersecurity standards and laws are non-negotiable for any businesses in the federal space, and a very good idea for businesses outside it. But the cyber landscape changes, protecting revenue and customers demands a steadily rising cybersecurity baseline that can be hard to meet without guidance.

Securicon helps your business to comply with Federal and regulatory requirements through program and risk assessments. With a team comprised of veterans from the U.S security community – including DoD, DHS, and the U.S Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.

When it Comes to Picking Targets, Hackers Don’t Care About Size

Posted on
hackers, small business cybersecurity
hackers, small business cybersecurity

As a small business, it’s easy to think that malicious cyber actors only want to target the largest companies. After all, those are the ones who have the most data and sensitive assets. At the same time, those companies also have the highest security budget, making attacks against them time-consuming and resource-intensive. Meanwhile, attacks against small businesses are not only easier – they can be just as profitable.

In mid-May, Illinois’ Lincoln College announced that it was closing its doors because a ransomware attack from December 2021 exacerbated the financial issues arising from lowered enrollment caused by the pandemic. From a broader perspective, this story is increasingly common: according to a recent report, small businesses are 350% more likely to be targeted by cyber actors than large organizations. Furthermore, 61% of all small-to-medium-sized businesses (SMBs) experienced a cyberattack between 2020 and 2021, according to a Ponemon Institute report.

With the news cycle constantly reporting large cyberattacks against Fortune 500 organizations, SMBs can feel a false sense of security. The reality is that cyber actors are equal opportunists who will take advantage of any organization – no matter its size.

What do Cyber Actors Want?

Most cyber actors have predictable objectives that can fall into a few basic categories. Typically, they’re motivated either by money or politics. Depending on your business’s industry vertical, you present a valuable target under one or both of those categories.

Payout 

The quickest way to profit from a cyberattack is a ransomware payment. All businesses have money, and thanks to Ransomware-as-a-Service (RaaS), cyber actors don’t need to be sophisticated to deploy an attack. With ransomware frequency surging, everyone is threatened.

Personally Identifiable Information (PII)

Cyber actors target PII either as part of a double-extortion ransomware attack or to sell on the dark web. In a normal ransomware attack, they force victims to pay a ransom in order to decrypt their files; in a double extortion attack, they also pressure victims to pay an additional fee to avoid making stolen PII public. In either case, all small businesses store PII on their customers, employees, and clients which makes them an attack target.

Credentials and Access

Attackers will often target one organization in order to access another. Most businesses work with other businesses and vendors and may possess information, credentials, software, or networked connections that cyber actors can use to move between targets. This is the mechanism behind software supply chain attacks like the SolarWinds hack.

Intellectual Property (IP) and Trade Secrets

Competitors often target IP and trade secrets as a way to get ahead without doing the work themselves. Whether you’re a small business or not, if your IP gives you a competitive edge, foreign companies will know and cyber actors will target you to make a profit in their own country.

Classified Information

Disrupting critical infrastructure and gaining access to classified information is high on the priority list for nation-state actors engaging in espionage and terrorism. Small government contractors may have valuable contract information that falls under a controlled unclassified information (CUI) designation, while cleared organizations may have classified information.

An Easy Target

Many attackers prefer to target small businesses because they lack the resources that larger companies have. Research notes that 47% of businesses with 50 employees or less do not have a dedicated cybersecurity budget. Further, not every business has a dedicated cyber security staff due to the shortage, cost, and high turnover of cybersecurity talent.

Adding to these challenges, many SMBs also struggle with legacy technologies. Purchasing new hardware is expensive, and many companies lack the budget to pay for the newest, most up-to-date IT infrastructure. Further, the move to remote work coupled with the increased adoption of cloud technologies complicates things further. Remote employees who may lack the needed cybersecurity awareness are often vulnerable to phishing attacks.

If you’re looking at it from a cost-benefit analysis, cyber actors need to expend less effort to get as much, if not more, information and money from multiple small businesses than one large organization.

How to Harden Your Small Business

The good news is that even as a small business, there are many ways to insulate yourself against cyberattacks and find cybersecurity experts to help you guard your sensitive assets.

Cyber training

According to Deloitte, more than 90% of all cyberattacks begin with a phishing email. The first step to protecting yourself is providing your employees with cyber awareness training so that they can recognize phishing and social engineering attacks. This will go a long way to protect your organization.

Incident response/Disaster Continuity plan

Alexander Graham Bell once said, “before anything else, preparation is the key to success.” Knowing what you plan to do before an attack occurs will reduce the impact if you experience one. The best form of harm reduction is harm prevention, and that can be achieved through a proactive enterprise security strategy that includes a protocol for incident response.

Protection of Perimeter

Nearly every company has Internet of Things (IoT) networked devices, and many are vulnerable. From printers to sensors, these devices enable work but create new cybersecurity risks. To protect the perimeter, you should:

      • Adopt a zero-trust policy
      • Place air gaps between devices
      • Move away from open-source protocols
      • Continually update operating systems, software, and firmware

Choose a Cybersecurity Partner

You don’t have to do everything alone. Hiring in-house talent is cost-prohibitive, but with the right outsourced partner you can achieve your security goals and protect your business. Providers, like Securicon, who can provide risk management, and compliance solutions prepare your company for the worst while offering continuous support at a more affordable cost than in-house talent.

Conclusion

Small businesses have a lot of things to worry about, and few have the cyber expertise of a large enterprise. This means many are unable to create the robust security program that they need to survive the current risk landscape. But as cyber actors become more advanced, good cybersecurity can mean the difference between survival and bankruptcy. Fortunately, you don’t have to go it alone.

At Securicon, our seasoned cybersecurity experts work to find vulnerabilities in your IT infrastructure, providing solutions and long-term support. Contact us today for a rapid assessment and learn how we can help your business survive in the midst of an evolving threat landscape.