You could be forgiven for believing ransomware has already peaked. After all, few organisations in South Africa have experienced it on various levels since 2017’s WannaCry attack. Yet ransomware is hardly a spent force. If anything it’s become normalised. Kaspersky detected 16,017 new ransomware modifications in Q2 2019, more than double it discovered in the same period last year.
Ransomware is now big business. With estimated annual revenues of $1 billion, it’s become a parasitic sub-economy whose continued rise seems inexorable. However, as ever, it’s not a price worth paying. The average attack costs businesses over $133,000 and does long term damage to reputation and customer confidence. What’s more, paying the ransom is no guarantee you will get your data back – 20 per cent of paying victims never reclaim their stolen data.
Data is your strongest asset, but it can also be your biggest weakness. It helps you anticipate change and cater to your customers, but it is also becoming more complex, varied and difficult to protect. To stop it falling into the wrong hands, you must have a strong security configuration and backup strategy in place. Now more than ever, you also need to put it through its paces.
Prepare to fail
A strong ransomware defence strategy delivers protection at depth and at all levels. You should have a strategy to proactively search for and fix system vulnerabilities, and deploy solutions for network monitoring, threat intelligence and endpoint detection. By covering all bases, you give potential attackers nowhere to hide.
However, threat prevention by itself is no longer enough. You can have in place the most comprehensive prevention strategy possible, but failure is inevitable at some point in your system’s lifecycle. Indeed, more than 77 per cent of ransomware victims were running up-to-date endpoint protection when they were breached.
Ransomware is no longer a cottage industry of lone wolf operators and small groups. It’s the weapon of choice for state actors and well-resourced criminal outfits. Cybercriminals don’t have the distraction of needing to operate a business – they can focus solely on their goal of breaching your defences. What’s more, they constantly evolve their techniques and technologies, and can do it much faster than you can refresh your perimeter defences.
Without a detailed incident management and response plan, one bad day could turn into a long-running disaster for your organisation. You can’t defend yourself from every potential ransomware attack, so a comprehensive backup plan is crucial. This means creating and maintaining multiple copies of important data, both locally and in the cloud. You should be aware of how your backups are created, where they are stored in your organisation and, most importantly, how your backup strategy performs under pressure.
You don’t have a backup plan until you’ve tested it
Despite the heightening threat of ransomware attack, organisations often still neglect to put their backup strategies into practice. There’s a perception of ‘it could never happen to me’ among many data officers and managers, but ransomware attacks are worryingly common – across Europe, the Middle East and North America, more than a third of finance and insurance companies have been victims. A ransomware attack isn’t a question of if, but when.
Complacency only puts your data in danger. If failure is inevitable then you shouldn’t be caught unprepared. Backup plans are complex and multi-layered, spanning across multiple data and cloud environments. It’s hard to predict how your backup plan will interact with all these systems until you put it into action.
Stress testing your backup configuration reveals cracks and vulnerabilities you otherwise would never have discovered. Are your backups sufficiently isolated to avoid infection from spreading, do you have enough copies of valuable data and are you retaining those copies long enough? Only regular fire drills and tests can answer these questions conclusively.
A stress test could be something as simple as staff checking to ensure a backup site will go live should the main application fail, or performing a single file recovery and checking the recovered copy matches the original. What’s important is that these tests are regular, repeatable and a crucial part of your backup strategy.
It’s important to stress that you can’t just focus on the resilience of your primary data. The secondary data you create through backups and copies also needs to be properly defended and tested under your policies. Review how your backups are saved and then put them through the same process as your primary data. What’s more, a number of backup solutions are building ransomware resiliency capabilities into how secondary data is stored and accessed – take advantage of these.
Stress testing isn’t a case of better safe than sorry, it has real benefits to an organisation. Rehearsing your backup strategy improves response times and shortens the delay between losing your data and getting it back. This is increasingly important in a connected world where losing access to data can swiftly derail business continuity.
When it comes to ransomware, prevention is no longer enough. You need to have a data backup plan, and that plan has to be measurable and repeatable to keep pace with today’s fast-moving attackers. You can’t say you’ve truly recovered from a ransomware attack if it has done damage to your business through downtime and data loss. A tried and tested approach will not only boost response and resilience, it will deliver confidence to customers and stakeholders.
SA’s Internet goes down again
South Africa is about to experience a small repeat of the lower speeds and loss of Internet connectivity suffered in January, thanks to a new undersea cable break, writes BRYAN TURNER
Internet service provider Afrihost has notified customers that there are major outages across all South African Internet Service Providers (ISPs), as a result of a break in the WACS undersea cable between Portugal and England
The cause of the cable break along the cable is unclear. it marks the second major breakage event along the West African Internet sea cables this year, and comes at the worst possible time: as South Africans grow heavily dependent on their Internet connections during the COVID-19 lockdown.
As a result of the break, the use of international websites and services, which include VPNs (virtual private networks), may result in latency – decreased speeds and response times.
WACS runs from Yzerfontein in the Western Cape, up the West Coast of Africa, and terminates in the United Kingdom. It makes a stop in Portugal before it reaches the UK, and the breakage is reportedly somewhere between these two countries.
The cable is owned in portions by several companies, and the portion where the breakage has occurred belongs to Tata Communications.
The alternate routes are:
- SAT3, which runs from Melkbosstrand also in the Western Cape, up the West Coast and terminates in Portugal and Spain. This cable runs nearly parallel to WACS and has less Internet capacity than WACS.
- ACE (Africa Coast to Europe), which also runs up the West Coast.
- The SEACOM cable runs from South Africa, up the East Coast of Africa, terminating in both London and Dubai.
- The EASSy cable also runs from South Africa, up the East Coast, terminating in Sudan, from where it connects to other cables.
The routes most ISPs in South Africa use are WACS and SAT3, due to cost reasons.
The impact will not be as severe as in January, though. All international traffic is being redirected via alternative cable routes. This may be a viable method for connecting users to the Internet but might not be suitable for latency-sensitive applications like International video conferencing.
SA cellphones to be tracked to fight coronavirus
Several countries are tracking cellphones to understand who may have been exposed to coronavirus-infected people. South Africa is about to follow suit, writes BRYAN TURNER
From Israel to South Korea, governments and cell networks have been implementing measures to trace the cellphones of coronavirus-infected citizens, and who they’ve been around. The mechanisms countries have used have varied.
In Iran, citizens were encouraged to download an app that claimed to diagnose COVID-19 with a series of yes or no questions. The app also tracked real-time location with a very high level of accuracy, provided by the GPS sensor.
In Germany, all cellphones on Deutsche Telekom are being tracked through cell tower connections, providing a much coarser location, but a less invasive method of tracking. The data is being handled by the Robert Koch Institute, the German version of the US Centers for Disease Control and Prevention.
In Taiwan, those quarantined at home are tracked via an “electronic fence”, which determines if users leave their homes.
In South Africa, preparations have started to track cellphones based on cell tower connections. The choice of this method is understandable, as many South Africans may either feel an app is too intrusive to have installed, or may not have the data to install the app. This method also allows more cellphones, including basic feature phones, to be tracked.
This means that users can be tracked on a fairly anonymised basis, because these locations can be accurate to about 2 square kilometers. Clearly, this method of tracking is not meant to monitor individual movements, but rather gain a sense of who’s been around which general area.
This data could be used to find lockdown violators, if one considers that a phone connecting in Hillbrow for the first 11 days of lockdown, and then connecting in Morningside for the next 5, likely indicates a person has moved for an extended period of time.
Communications minister Stella Ndabeni-Abrahams said that South African network providers have agreed to provide government with location data to help fight COVID-19.
Details on how the data will be used, and what it will used to determine, are still unclear.