News

Real-World Ransomware Defense Best Practices: Remember 'Bullies Target the Weakest First'

In the high country of northwest Montana where I live, people tell an old joke about two campers in a tent threatened by a bear, with one hastily putting on his running shoes. The other guy asks him why he's doing that, as no one can outrun a bear. "I don't have to outrun the bear," the first camper retorts, "I just have to outrun you."

Turns out, the same thing holds true for ransomware defense. You don't need to have the strongest security posture out there, you just need to not have the weakest.

John O'Neill Sr., chief technologist at AWS Solutions, explained that reasoning in a recent online summit hosted by Virtualization & Cloud Review. "I want everybody to think about the bad guy like a playground bully," he said. "Bullies target the weakest first. Cyber attacks target the weakest first. So you don't necessarily have to be the strongest kid on the playground. You just can't be the weakest."

O'Neill Sr. was presenting with partner Dave Kawula, managing principal consultant at TriCon Elite Consulting, in a three-session, half-day online summit titled "Best Practices for Ransomware Defense and Recovery," now available for on-demand viewing.

O'Neill Sr. continued his train of thought about bullies targeting the weakest. "So everything you do to increase your cyber posture is making you more defensible and less of an easy target. And I use that analogy because it's a bit brutal, and cyber defense and cyber security are brutal these days.

"And I use that analogy because it's a bit brutal, and cyber defense and cyber security are brutal these days."

"But you know, another way to think about it is, that bad guys are also lazy to some degree. And what I mean by that is, they like to target the low-hanging fruit, the easy play. So, as you mentioned earlier today, Dave, your job is to make yourself not low hanging, not the easy target."

Best Practice No. 6
[Click on image for larger view.] Best Practice No. 6

The expert consultants were discussing the need to be high-hanging fruit in the context of corporate cybersecurity training, one of their 12 best practices. They emphasized that training should not be just for IT folks, but should also be offered in easy-to-consume ways for other staff and leadership because as threats evolve, so must organizations trying to protect themselves.

"Every member of IT is a part of the security team," O'Neill Sr. said in the training discussion. "So they should certainly be taking the time to invest in some operational training on how to use the security systems, how to isolate machines when they come in, because maybe the normal person that deals with that isn't around. And it still needs dealt with. And it's still time sensitive. So other members of the team need to be trained. And if you are the person tasked with your cybersecurity -- Dave, you and I have talked about this so much -- we feel that it's very beneficial and worth the effort and the investment in yourself and to your organization to go earn some of these certifications, right. Microsoft has a great new certification out with their operational analysts role and that sort of thing. And so I just can't emphasize that enough."

Kenneth from the audience: "What is your recommendation on providing live security training to a company? How long should that training be and how often should it happen?""

Staff training was also the subject of a question put to the presenters by Kenneth among the online audience of hundreds of IT pros. Kenneth asked: "What is your recommendation on providing live security training to a company? How long should that training be and how often should it happen?"

"The great news, Kenneth, is that you may already have a ton of training resources that are well developed and targeted to the end user, as well as to the IT group, and are relatively easy to deploy, they're kept up to date," O'Neill Sr. replied. "And those are built in. For instance, if you're using platforms such as the Microsoft Defender 365 platform, if you go in there, there are all sorts of training resources that you can provide your users, and there are even routines you can run that periodically do a phishing simulation. So it'll send an email out to your users, a phishing email, and whoever clicks it is automatically directed to take two- or three-minute training. You get logs of them doing that training. And you can keep track of things that way. And you should be doing those periodically.

"The other thing that I've seen a lot in addition to using actual cybersecurity learning platforms: use free resources. Amazon has some great cybersecurity training that they've developed for Cybersecurity Awareness Month. October is Cybersecurity Awareness Month, so how's that for aligning this webinar with current events? Well, so that training, we've been sending it out to users and inviting them to do it. Well, one of our problems is we can't really track who took it and who didn't take it and that sort of thing. Well, our strategy is, when you send out the email, it says, 'Hey, there's this great training, it only takes 5-10 minutes, you know, do this. If you send the IT team back an email and say that you've conducted or attended this training, answered a couple questions for us, we will enter you in a drawing to win a $50 Amazon gift card,' or something like that. Incentivize them to attend the training and to let you know they've attended it. So you can keep track of things that way.

"There's just so many ways that you can make training something that fits in with your team's schedules, or your customer schedules, your user schedules, and something that you can keep track of to see who's doing it.

John O'Neill Sr., chief technologist, AWS Solutions

"There's just so many ways that you can make training something that fits in with your team's schedules, or your customer schedules, your user schedules, and something that you can keep track of to see who's doing it. How often are they doing it? What are the results of it? You know, make it fun, send out a weekly quiz, your cybersecurity quiz, and people respond, and then you put them in a pool to win a free lunch or pizza party or whatever you want, you know, make it fun. And I found people will do it."

Kawula shared his thoughts on training and dealing with that staffer.

"Yeah, no, absolutely, John. And one of the things to add to that is, okay, virtual show of hands: How many of you have issues with the same user over and over and over again, no matter how much training they happen to go through? Don't worry, I can see your virtual hands going up out there, because we all have those users that we have to deal with. And I find that it's just a matter of further educating and being patient. And when you have those users, one of the things that I find is very helpful, John, is relate something non-work-related to them, say, 'Listen, I'm here to help you. Not just from the corporation's perspective, but I also want to make sure that you're protected on a personal perspective.

"I don't think you'd really like it if a bad guy got in and got all your personal banking funds so that you couldn't pay your mortgage. So we're trying to help you with this, not just for the company, we're trying to help you with this at a personal level as well."

Dave Kawula, managing principal consultant, TriCon Elite Consulting

"I don't think you'd really like it if a bad guy got in and got all your personal banking funds so that you couldn't pay your mortgage. So we're trying to help you with this, not just for the company, we're trying to help you with this at a personal level as well.' And that seems to really resonate with some of those users."

As mentioned, the presentation now can be viewed for free on demand to get Dave and John's advice about their other ransomware defense and recovery best practices in addition to "Continual Training and Operationalization." That list of best practices -- too long to digest here -- fully fleshes out topics like:

  • Activate Your Defenses
  • Configure Your Defenses
  • Partner with Your Vendors
  • Assume Breach
  • Do Whatever It Takes to Protect the Network
  • Threat Hunting
  • Recovery Involves Cyber Insurance
  • Recover On-Prem or Recover in the Cloud
  • Line Up your Recovery Team Well in Advance
  • Legal Requirements to Provide Notification to the Government
  • We Are at Cyber WAR

Of course, there are advantages to attending such summits live, including the ability to ask questions of expert presenters, as Kenneth and others did in last week's presentation. Attendees are also automatically entered into a drawing for a chance to win a cool prize. With those factors in mind, here are some summits coming up in the next month or so.

About the Author

David Ramel is an editor and writer for Converge360.

Featured