They've taken my storage hostage ... now what?
How one user device nearly brought down the business
Sysadmin blog There's an encrypting ransomware Trojan making the rounds called Cryptolocker.
I will save the details on my battle with this beastie for later*, but suffice it to say that if this encrypts your stuff you are done. There is no getting your data back unless you have backups or pay the ransom.
Let's set aside the ultra-well managed and defended enterprise network for a moment. Defending the castle when everyone does 9-to-5 inside said castle is easy.
Far flung empire
Making sure that something like CryptoLocker does not erase your entire business in one go is a lot harder if you need to defend the equivalent of several hundred loosely affiliated cottages spread across the planet.
I am a cautious fan of bringing your own device (BYOD) to work. My company runs on the concept, as do most of my clients.
In some cases this is true BYOD: a working environment delivered through software as a service or virtual display infrastructure, so the endpoint is irrelevant. In other cases it is "deploy desirable devices" or "you pick it, we support it”.
Regardless of the variations, moving away from the corporately mandated locked-down cheapo desktop should never be treated as a means to save money for the business. That is the path to the Dark Side.
BYOD carries with it the obligations to apply some engineering to your efforts. I see it in use because people are increasingly working from home after hours, telecommuting or just spending more time in the field with clients than at the office in meetings. This means that the endpoints in play don't use traditional network designs.
Instead of hunkering down behind a corporate firewall, each endpoint must be secured as though it were going to be hooked up to the internet directly, because eventually it will.
Instead of simply being able to browse the local network for a file share you have to consider remote access or synchronisation technologies: virtual private networks, TeamDrive, NetDrive and so forth.
Increasingly I see distributed companies that do not have a central corporate network at all. BYOD is not an extension of some well managed IT infrastructure, it is a term hung around a group of people working in dispersed locations who have to communicate, collaborate and share data in the same way as people in an office would.
Being a writer for The Register, which has writers spread around the world, is one example of such a working environment. Being a startup that doesn't have the money for an office just yet is another.
Where are you storing your central files? Are you relying on cloud storage such as Dropbox for Business? Are you hanging a Synology on a corporate DSL and praying for the best, or did you plunk a file server into a co-lo?
People are careless about where they store files
BYOD-like endpoint selection strategies may well suit your business, but you are going to have to spend good money on security, management and support if you don't want to end up getting Cryptolockered.
In any situation where you are not rigidly locking down the endpoint, people are careless about where they store files. They will not store them on your centralised storage unless forced.
Enter the Trojan
People will work local and move copies centrally only when a colleague needs something – even then, they will probably email it.
In the Cryptolocker instance, the person in question's job was to open Excel files emailed to him by customers, pull out the data and put it into another Excel file.
The inevitable happened: something arrived that looked legitimate enough on a day when the user was tired and distracted. He wasn't a local administrator but the Cryptolocker Trojan doesn't need administrative privileges to run. It encrypted the user's My Documents folder as well as every file he had mapped on the network drive.
The business owner was someone who could never be dissuaded from the view that "RAID isn't backup" and was unwilling to spring for anything sexier than Windows Backup to secure the endpoints.
The network backups consisted of scripts that execute against the network drives once a night and overwrite the previous night's backup. They are designed to deal with failure of the network-attached storage box, not to provide versioning for Oopsie Mcfumblefingers or virus emergencies like this.
The end result? The stuff in My Documents could be recovered from Windows Backup – the stuff on the network drives, not so much.
Hang the expense
This Trojan had somehow waltzed through Office 365's anti-virals to land in the user's email. It ran without administrative privilege, laughed at the system-local anti-malware software and did its thing.
These things happen. It isn't paranoia to plan for them – it is a business requirement. A different business organisation is not an excuse to underfund your IT.
However much the whitepapers say you need to spend triple your annual revenue in IT to make it go and lock things down so tightly nobody can actually work, that is not the case.
Something as simple as KinetcD can save you from some disasters. It will back up the folders you need to back up and shift them to the cloud – in this case, a Canadian cloud provider, for those not comfortable with the Americans right now.
Take your pick
You can manage endpoints just fine if you buy a decent endpoint security suite. Traditional AV vendors are nearly all getting in on the unified threat management game. There are hundreds of endpoint management and security options.
Don't buy a network-attached storage system (or other centralised storage) that doesn't come with some sort of versioning backup software. Most of these things can back up to a cloud provider; pay the tithe and turn the feature on.
This won't solve all ills but proper management software will minimise your chances of getting into trouble, while backup software will help ensure that when something does sneak through your defences you can nuke the infected machines and revert to backups.
You can't fix stupid, so please, do invest in preparing for the inevitability. Yes, it costs money to back things up and yes it costs money to properly manage your endpoints – but it doesn't cost nearly as much as it did even a few years ago, and the alternative is something like Cryptolocker wiping your whole business out with a double click. ®
*For the record, the files were ultimately recovered and the business saved. The dirty details will be all revealed in a future article. Stay tuned.
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust