NIST Taking Public Comment on Ransomware Profile Until Oct. 8

The National Institute of Standards and Technology (NIST) is taking public comment on the new draft of its Ransomware Profile until Oct. 8. Managed security service providers may want to chime in.

The document contains the recommendations from the agency (which doesn’t have regulatory power) for helping organizations tackle ransomware.

Without a doubt, the issue is a pressing one. In the second quarter of 2021 alone, ransomware activity soared 55,240%. That’s not a typo. That’s the figure from MSSP Nuspire in its 2021 Q2 Quarterly Threat Landscape Report.

With that in mind, here are the “basic preventative steps” NIST details in its Ransomware Profile:

• Use antivirus software at all times. Set software to automatically scan emails and flash drives.
• Keep computers fully patched. Run scheduled checks to identify available patches, and install these as soon as feasible.
• Segment networks. Segment internal networks to prevent malware from proliferating among potential target systems.
• Continuously monitor directory services (and other primary user stores) for indicators of compromise or active attack.
• Block access to potentially malicious web resources. For example, use products or services that block access to server names, IP addresses, or ports and protocols known to be malicious or suspected to be indicators of malicious system activity.
• Allow only authorized apps. Configure operating systems and/or third-party software to run only authorized applications. Establish processes for reviewing, then adding or removing authorized applications on an allowlist.
• Use standard user accounts versus accounts with administrative privileges whenever possible.
• Restrict personally owned devices on work networks.
• Avoid using personal apps – email, chat, social media – on work computers.
• Educate employees about social engineering. Don’t open files or click on links from unknown sources unless without running an antivirus scan or inspecting links carefully.
• Assign and manage credential authorization for all enterprise assets and software; also, periodically verify that each account has the appropriate access only.

The Basics Are Always Important

These insights seem rudimentary, but as cyberattacks rise exponentially, the industry has discovered that even the simplest gaps have gone overlooked. That was understandable during the crush last year to shift to remote work because of the pandemic. However, the time has long since passed to review those deployments for holes. In essence, the fundamentals bear repeating and employees – yours and your clients’ – continue to need cybersecurity training.

NIST underscores those points in the draft Ransomware Profile. The agency lays out steps organizations should take now to recover from a ransomware incident later:

• Make a recovery plan. The effort should feature defined roles and strategies for decision making, and can serve as part of a continuity-of-operations plan, NIST said. Also, identify business-critical services to enable recovery prioritization, as well as business continuity plans for those critical services.
• Back up data, secure backups and test restoration. Plan, implement and test a data backup and restoration strategy. In addition, secure and isolate backups of important data. This advice is especially prescient after the infamous SolarWinds hack, in which targets did not isolate their backups. From there, it was all too easy for attackers to grab data.
• Keep your contacts. Maintain an up-to-date list of internal and external contacts, including law enforcement, for ransomware attacks, NIST said.

NIST modeled the Ransomware Profile on its Cybersecurity Framework Version 1.1. The new draft guidance is the second version, following one released this summer. The recommendations come not long after the Biden Administration issued its own measures aimed at fighting ransomware. Government agencies and contractors have suffered heavy attack over the past year from hackers, and they aren’t letting up. Just last week, the feds issued an advisory indicating that more than 400 U.S. and international organizations have come under digital fire from the Conti ransomware.