The New York State Department of Financial Services recently announced new guidance addressing ransomware attacks, and highlighting cybersecurity measures to significantly reduce the risk of an attack. The guidance comes as ransomware rates have been increasing, and builds on the post SolarWinds guidance from NYDFS about supply chain management. It was released just prior to the most recent large attack, namely the July 2nd supply-chain ransomware attack centered on the U.S. information technology firm Kaseya.
The guidance was generated from reports to NYDFS of 74 ransomware attacks from NYDFS-regulated companies between January 2020 and May 2021 which it said followed a similar pattern: “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” NYDFS – in step with the FBI – recommends against paying ransoms because such payments (i) may violate the Treasury’s OFAC sanctions, (ii) do not guarantee that the company will regain access to all its data, or that the company’s data will not be leaked later anyway, and (iii) will likely not prevent subsequent attacks. Instead, in the guidance NYDFS urged all regulated entities to implement the following multi-layered approach to cybersecurity:
-
Train employees about email filtering and anti-phishing;
-
Implement a vulnerability and patch management program;
-
Use multi-factor authentication;
-
Disable RDP access from the internet wherever possible;
-
Use strong, unique passwords;
-
Employ privileged access management so that each user has the minimum level of access necessary to perform the job;
-
Monitor systems for intruders;
-
Segregate and test backups; and
-
Include a ransomware-specific incident response plan that is tested.
Putting it Into Practice: This guidance is a reminder that while supply-chain cybersecurity threats have been gaining headlines, cyberattacks can and do just still occur as a result of phishing attacks, human error, and failures in controls. Teaching employees about good cyber hygiene helps to mitigate the risk that employees will fall prey to sophisticated phishing or socially-engineered fake emails. Companies should couple their employee cybersecurity training with the implementation of a robust cybersecurity program that utilizes diversified security measures and tests controls to ensure system endpoints are protected from threats.