Backup, Separate, & Secure: White House Cyber Recommendations Reach the Private Sector
By: Brian Craig & George Leahy
On Wednesday, June 2, Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger released an open letter encouraging businesses within the private sector to adopt immediate protections against ransomware and other cybersecurity threats. The recommendations in the letter are helpful and highlight high-level lessons learned from the increasing frequency and severity of ransomware attacks. They also remind us of the need to continuously assess the risk of online threats and implement a comprehensive approach to cybersecurity to mitigate the risk, including the deployment of enhanced security controls to meet evolving malicious technology.
Neuberger’s letter follows a May 12 Executive Order, which directed government contractors to adopt heightened cybersecurity measures and greater collaboration with federal intelligence agencies in the coming months. The June 2 letter, titled “What We Urge You To Do To Protect Against The Threat of Ransomware,” urges private companies to adopt many of the same measures that will be applied to federal contractors by the President’s Executive Order. The suggested policies can be broken down into three general action plans: backup, separate, and secure.
The first of Neuberger’s suggestions calls for the five best practices from the President’s Executive Order – each of which have been found to be necessary and effective in detecting and defending against ransomware attacks:
- implement multi-factor authentication;
- implement heuristic-based endpoint detection and response tools;
- implement encryption to protect data that may be stolen;
- engage a skilled security team to patch rapidly and continuously update security controls; and
- share and incorporate threat information in establishing defenses.
The second set of suggestions calls for the consistent backup and encryption of any digital information maintained by the business. This backup data should include not only client files or other consumer information, but also system images and settings. Any operational data, organizational or otherwise, should have at least one additional encrypted copy. Businesses should routinely test these backups, ensuring they work in case filing systems and data need to be restored after a ransomware attack. This backup data, and any digital company resources in general, should be maintained separately. Though network-based backup systems are convenient, particularly for larger enterprise systems, Neuberger notes that ransomware attacks commonly target and delete backups that are accessible from a main network, leaving businesses with no ability to restore compromised systems. Consequently, in addition to network-based backups, business should ensure current backup data is stored separately offline, maintaining the option of a system-wide restore in the case of a ransomware lockout. Consistent with this, the 3-2-1 backup rule should be considered. This rule provides that a business should have three copies of its data – its production data and two backup copies, on two different media, with one copy offsite for disaster recovery.
The June 2 letter also includes a lesson from recent events, like the March 2 alert pertaining to Microsoft Exchange vulnerabilities. The letter recommends that businesses should promptly update and patch their operating systems, applications, firmware, and other related software. These system-wide patches and updates provide the most up-to-date security features and may close potential loopholes that attackers could use to enter into a business’ system.
The letter also emphasizes the importance of a basic information security principle: network segmentation. Networks used for business functions, for example, should be kept separate from those used for manufacturing and production. That way, a cyber attack on one network will not affect overall operations of the business, maintaining the status quo until the attack is resolved.
Finally, Neuberger’s general suggestions indicate an increased emphasis on security through localized security response teams and third-party vulnerability testing. In addition to local encryption and standard password protection, businesses are encouraged to create their own security teams and develop incident response plans.
In forming these plans, company teams should conduct a risk assessment to determine which systems are most likely to be attacked, which information is the most critical to normal business functions, and how to keep the business operational in the case of a ransomware attack. Lewis Brisbois’ Data Privacy & Cybersecurity Team is experienced in working with businesses to maximize data security and protect against cyberattacks, including the development of incident response plans and testing the plans through table top exercises.
For more information on this topic, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.