Ransomware Attacks Government Entities
You’ve seen in the movies where the Special Forces are dropped off in enemy territory, then they split up to perform their assignments, then the main guy yells, “See you at the exfil!” In that context, it means the Special Forces team are basically rescued from the bad guys when the helicopter comes back to pick them up. Well, apparently the computer geeks have stolen yet another word from the English language for their own use: exfiltration.
What does Data Exfiltration mean?
Data exfiltration is the unauthorized copying, transfer or retrieval of data from a computer or server. Data exfiltration is a malicious activity performed through various techniques, typically by cybercriminals over the Internet or other network. Data exfiltration is also known as data extrusion, data exportation, or data theft.
I know you’ve heard of “ransomware” and probably know someone who has been hacked—probably from an employee clicking a link in an email that executed some very naughty script. Now the network is unavailable, and none of the data is available. The bad guy says, “Hey, you want your data back? Send me some ridiculous amount of bitcoin first.” However, there is no guarantee that you will recover your files even if you pay the ransom.
Phishing emails or by unknowingly visiting an infected website is how ransomware typically spreads throughout a network, which is why segmentation of your network is important—at least, keep public access separate from internal functions—but the best prevention is education of your users.
Ransomware has affected every aspect of society, from grandma to the government. The website statescoop.com has created a map of ransomware attacks of government entities. Just this year alone, almost every state was attacked, including “state and local governments, school districts, and higher education institutions.”
What can EFT do?
Enhanced File Transfer (EFT) is meant for file transfer and management of your data, not storage. You should be storing your data remotely from EFT in some sort of redundant storage. EFT can create efficiencies in your job by doing regular backups of important files and subsequently taking that backup off-site for secure storage. (EFT Enterprise includes a built-in Backup event rule, but that only backs up EFT configuration, not your data.) If you’re an experienced and well-versed administrator, you’ve been backing up your data off-site, and doing it regularly. So while your organization may lose reputation and customers after an attack, your business can continue when you restore the data into a sanitized network.
EFT can help you take the following precautions to protect against the threat of ransomware, recommended by the Cybersecurity and Infrastructure Security Agency (CISA)
- Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
- Update and patch EFT and the server on which it is installed. EFT releases updated, patched versions whenever security vulnerabilities are identified in operating systems or in libraries used by EFT, such as OpenSSL.
- Backup data on a regular basis. Keep it on a separate device and store it offline.
- You can configure EFT event rules to copy, move, and or back up data regularly, and send an email reminder to store it offsite, or copy it to cloud storage.
- Restrict users’ permissions to install and run software applications, and apply the principle of least privilege to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
- EFT can connect to user authentication databases such as AD and LDAP so that you do not have to duplicate efforts in restricting user permissions. EFT also has the ability to restrict permissions through groups, settings templates, separate sites, and through folder permissions.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Though it’s not an email server, EFT, through event rules, can send files to an ICAP server for AV and DLP scanning, and quarantine infected files.
- Configure firewalls to block access to known malicious IP addresses.
- In addition to properly configuring your firewalls, you can configure EFT to block IP addresses, either manually or automatically upon multiple invalid logins or during a DDoS attack.
- Review EFT reports and logs, and set up event rules to notify you about large file uploads/downloads, frequent invalid login requests, and so on.
- Update user access regularly, especially when an employee leaves the organization or changes roles.
EFT encrypts all files, and integrates with third-party anti-virus, anti-malware, and DLP servers so you can scan for espionage breaches, credit card number transfers, viruses, and so on. Since ransomware is often brought into a network as a virus, EFT helps ensure that you can set up your environment to protect against these viruses, have full visibility into how a file was introduced into your environment, and automatically quarantine the files. EFT supports prevention, enables rapid incident response, and provides thorough audit logs to support digital forensics efforts.