The National Institute of Standards and Technology (NIST) has published a new draft on ransomware guidance for organizations. The document features advice on how to defend against the malware, what to do in the event of an attack, and how to recover from it.
The framework establishes The Ransomware Profile, a guide to help organizations profile the state of their own readiness. The Ransomware Profile maps security objectives from the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 [1] (also known as the Cybersecurity Framework) to security capabilities and measures that support preventing, responding to, and recovering from ransomware events.
The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization's level of readiness to mitigate ransomware threats and to react to the potential impact of events. The profile can also be used to identify opportunities for improving cybersecurity to help thwart ransomware.
The publication also details some basic preventative steps that an organization can take now to protect against the ransomware threat, including:
- Use antivirus software at all times. Set your software to automatically scan emails and flash drives.
- Keep computers fully patched. Run scheduled checks to keep everything up-to-date.
- Block access to ransomware sites. Use security products or services that block access to 96 known ransomware sites.
- Allow only authorized apps. Configure operating systems or use third-party software to allow only authorized applications on computers.
- Restrict personally owned devices on work networks.
- Use standard user accounts versus accounts with administrative privileges whenever possible.
- Avoid using personal apps—like email, chat, and social media—from work computers.
- Beware of unknown sources. Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.
Steps that organizations can take now to help recover from a future ransomware event include:
- Make an incident recovery plan. Develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan.
- Backup and restore. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data.
- Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement.
NIST says the Ransomware Profile is intended for a general audience and is broadly applicable to organizations that:
- have already adopted the NIST Cybersecurity Framework to help identify, assess, and manage cybersecurity risks;
- are familiar with the Cybersecurity Framework and want to improve their risk postures;
- are unfamiliar with the Cybersecurity Framework but need to implement risk management frameworks to meet ransomware threats.
Chris Morales, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider, says, "It’s good NIST calls out ransomware, however, there isn’t anything particularly new here. It is primarily hygiene based on a prevention strategy, which unfortunately requires the proper staff to do or to even know NIST created these guidelines. This is especially true within mid-size and smaller organizations that attacks are now frequently targeting."
To access the full document, please visit https://csrc.nist.gov/CSRC/media/Publications/nistir/draft/documents/NIST.IR.8374-preliminary-draft.pdf