A ransomware attack has cost Redcar and Cleveland council an estimate £10M to resolve and an article today debates how much of that the government should have provided to help them.

As a software professional, I find these stories infuriating in that a large, exposed, public body like a council, which is paying, probably at least £200K per year in salaries for their IT staff are still not protecting adequately against and more importantly having a disaster recovery plan for such a common attack vector.

In one sense, I don't think the government should give them any money because it is their own fault. However, of course, we are talking about elected people who are incompetent enough to allow this all to happen on their watch but it is the public's money that is being wasted. There are no real sanctions in this country for people who fail basic competency in Information Security, at worst they will lost their job but the local taxpayers are still on the hook for the lost money.

Ransomware is a surprisingly common and effective attack. An attacker attempts to get some malware to run inside a network, if they can, the malware encrypts whatever it can and shows a message to the victim asking for an amount of money (usually reasonable but not insignificant - the attacker wants a good payback but if they charge too much, they are more likely to not get paid). If the attacker is paid, they will probably release the files (it would be bad for business if people didn't believe they would get their data back), but of course, there would then be a danger of a further attack since you would not know for sure whether the attacker would a) completely leave your system and b) give you help to patch your systems to avoid further problems.

As I said before, these are very well known attack vectors and organisations should be learning from existing attacks because the attack is the same and should be dealth with in the same way.

Firstly, there are two main ways to prevent the attack or at least reduce its impact. The first, and hardest, is attempting to prevent malware from entering the system. In most cases, this is almost impossible since everyone uses email, virus scanners don't always pick up new malware but in most cases, an up-to-date scanner; user education; locking out USB ports so people cannot introduce malware from personal USB keys; and also a very strict policy on people who attempt to circumvent these policies in the same way you would treat someone who messed around with the systems on a plane or messed around with banking software.

You cannot ever have 100% assurance that this will work so you also need to secondly reduce the attack surface and this is about network/file permissions and also about data segregation. If you have, for example, an application that processes council tax payments, it should absolutely not be visible across the entire council network but should be isolated by something as simple as subnets so that one system cannot directly address another. Of course, this is sometimes tricky because of people who might have access to multiple systems but that is why the CISO is paid a lot of money. You also need to consider the ability to hop via different people's machines across the whole network via e.g. a council-wide shared network folder, again, something that is probably not needed in most cases.

The second crucial issue is having a policy so that people recognise when ransomeware is happening and you have a kill switch that can be operated to disable certain systems before they might have been affected. It will involve a combination of powering down network switches and even pulling power cords out of crucial servers. If you do not have any means to do this, it is more than likely that one of your staff will sit there watching a malware screen, go for a coffee and then try and call the IT department by which time it is too late. You can get special software that monitors for this, again, an up to date virus scanner can sometimes spot ransomware.

Thirdly, you aboslutely must have a disaster recover policy and process. The policy dictates how much money and time you will invest in setting it up, for example, how often you will take backups and how they are secured so that backups are not encrypted with the rest of the system (it has happened!). The process is literally a document that the IT team follow if you suffer from ransomware e.g. take down the network, have a network of people to go round and tell people what is happening, have a process for checking PCs before they are rebooted, working out how the ransomware arrived; getting backups restored, communicating with your customers: all very basic Information Security materials.

There is always an irony when an organisation won't spend e.g. £100K setting this all up and end up paying £10M in reparations.

Please people, start taking this seriously!