As promised in last month’s column (“Cyberattack!,” August), I’m going to write a little more about the Akira ransomware attack on Amaturo Sonoma Media Group (ASMG), the parent company of Northbay biz. Specifically, I want to describe some specific steps ASMG has taken in the wake of this attack.
I asked Gregg Garcia, director of engineering at ASMG: “Without getting too specific, how have you hardened your environment since the hack?” He generously responded with the following list, which I have annotated for those who don’t speak the lingo of network security professionals:
- Deploy secure, air-gapped, offsite backups—As I mentioned in my last column, one of the reasons that the attack was so devastating was that the backups of ASMG servers were present on the network. So, when the attackers encrypted files, the files comprising the backups were encrypted as well. There are two approaches: First, access to those files should be secure, protected by a password. Second, an air-gapped backup means a backup which is physically separated from the rest of your systems. For example, a nightly backup to tape or disk which is then physically removed from the premises (also handy in case your building burns down).
- Add MDR (Managed Detection and Response) services—It’s hard to be an expert at everything, and trustworthy third parties can help your IT group (or provider) cover all the bases. ASMG chose SentinelOne (sentinelone.com) to ensure that their network is monitored for any suspicious activity. SentinelOne provides “endpoint security,” which is to say that they monitor any part of your network which is accessible to the public internet (an “endpoint”) for unexpected traffic.
- Stay on top of the latest security patches and software updates—All software has bugs—there may be a few exceptions to this rule, but best to believe it. Some of those bugs allow access to unauthorized users with ill intent. And hackers follow announcements of bugs which get fixed so that they can target systems which are not up to date. This applies to your operating systems and applications (whether they are on your desktop/server or in the cloud). This can be a daunting task for a small business with limited IT resources. It’s a strong argument for enlisting a trusted third-party vendor to monitor for updates to your mission-critical software and make sure that those updates get applied.
- Network segmentation—Following the attack, ASMG further segmented its internal network, i.e. broke it into smaller groups of computers. Passing from one segment of the network to another requires authentication as a valid user (e.g. a secure password or other “secret”). This restricts an attacker’s ability to spread laterally through their organization. Again, this is a question you should be asking your IT group or provider: “What happens if someone gets into our “main” network? Are our backups secure? Can they access our emails, financial data or other mission-critical files? How, exactly, are our computers segmented and protected from attack?
- Passwords and multi-factor authentication—Sadly, the world still runs on passwords, as opposed to more secure, but less-user-friendly, alternatives. So, whatever passwords are used on your system should be *extremely* hard to guess. There are “password auditing applications” which can be used to test the strength of the passwords of accounts which are available on your network. Password managers can be used to suggest strong passwords.
Additionally, you can enable “multi-factor authentication.” One approach to this is sending a text message with a code to your phone, which must be provided in addition to your password. Another approach is use of an “authenticator app,” which provides a cryptographically-secure code that is used in the same way.
- The cloud—ASMG lost nine years of email in the attack because it was kept on its local network. Moving your documents and email to a cloud provider such as Google Workspaces or Microsoft 365 removes that particular worry at a reasonable cost.
- Reduce the “attack surface”—Every publicly accessible entry point to your network is a possible point of attack. Eliminate entry points which are unused.
- Education—Security starts at home. Your employees need to know how to recognize ways in which security can be compromised by seemingly simple actions: clicking on an unknown link or opening a document which they didn’t expect to receive. At a company I worked for, the IT department had an outside company conduct “phishing attacks” to see which employees might be fooled by hackers. Those people (and I was one of them) had to take some remedial training to improve their instincts about what a suspicious email might look like.
Does the above list sound daunting? It certainly can for a small business without a dedicated IT department. It’s one good reason to work with an IT provider that can help you achieve a meaningful level of security for your business. What would you do if tomorrow you came to work and all your computers were displaying a ransom message? If that scares you, it should. If it doesn’t scare you, you’re either well-prepared for a cyberattack, or whistling past the graveyard.
