勒索軟體_改善市政勒索軟體防禦能力的3種習慣

勒索軟體

Security experts should dispel common myths and develop these new habits for making cyber defenses more accessible.

安全專家應消除普遍的神話，并養成這些新習慣，以使網絡防禦更容易獲得。

Heading into town hall this morning, a civic leader from one of the approximately 19K incorporated US municipalities likely heard about another ransomware attack taking down a counterpart’s municipal services. The report probably recalled a large city like New Orleans, Baltimore, or Atlanta, where ransomware recently disrupted public services for far too many days and incurred recovery costs estimated in the millions, if not billions, of taxpayer dollars. As the news story continues with a cybersecurity expert discussing abstract concepts like “cyber hygiene” or “basic security controls,” the official silently laments the fact that those cities have exceptional technology budgets that total hundreds of thousands of dollars.

今天早晨，進入市政廳的時候，來自大約1萬9千個合并的美國城市之一的公民領袖可能聽說了另一起勒索軟體攻擊，導緻對方的市政服務癱瘓。 該報告可能回想起像新奧爾良，巴爾的摩或亞特蘭大這樣的大城市，勒索軟體最近在這些城市中斷了太多的公共服務，并招緻了數百萬甚至數十億美元的納稅人損失。 随着新聞的繼續，一位網絡安全專家讨論了諸如“網絡衛生”或“基本安全控制”之類的抽象概念，這位官員默默地哀歎這些城市擁有數十萬美元的特殊技術預算。

Based on my observations in the northeast US combined with national municipality size data, that town official is more likely to represent one of the approximately 90% of small municipalities that have no more than two IT staff. Worse yet, the town may fall into the bottom third of municipalities that lack a single dedicated IT professional, instead distributing IT functions as secondary responsibilities to other civil servants.

根據我在美國東北部的觀察結果以及全國市政規模資料，該城鎮官員更有可能代表不超過兩名IT人員的大約90％的小型市政之一。 更糟糕的是，該鎮可能會落在缺少一名專門的IT專業人員的城市中排在最後的三分之一，而将IT職能作為次要職責配置設定給其他公務員。

Normal business posture would be to have one dedicated security professional for every nine or so IT staff. So, only officials in the largest US cities can follow standard advice to “hire an expert.” Instead, most civic leaders must wonder if they can do anything with the available resources to keep from being in the next ransomware news report.

通常的業務狀況是每九個左右的IT員工隻有一名專門的安全專業人員。 是以，隻有美國最大城市的官員才能按照标準建議“聘請專家”。 取而代之的是，大多數公民領袖必須懷疑他們是否可以利用可用資源做任何事情，以防止出現在下一個勒索軟體新聞報道中。

About one third of the over 19K US municipalities may have no dedicated IT staff. Photo by Michael Figueroa 在美國超過1.9萬個城市中，大約有三分之一沒有專門的IT員工。 邁克爾·菲格羅亞(Michael Figueroa)攝影

Municipalities can improve cyber defenses despite very limited budgets. To do so, cybersecurity experts need to correct bad habits that contribute to overwhelming non-security professionals and perpetuating organizational weaknesses.

盡管預算非常有限，但市政當局仍可以改善網絡防禦。 為此，網絡安全專家需要糾正不良習慣，這些不良習慣會使不安全的專業人員泛濫成災，并使組織的弱點長期存在。

Those bad habits center on our tendency to evangelize absolute security control approaches that dismiss context and discount the underlying complexity of the problem space. We continue to fail not just municipal leaders, but also school superintendents, police and fire chiefs, non-profit directors, small business owners, and other similar small and civic organizations, when we push a narrative that belittles the cyber defense challenges that they face. Rather than blaming those who lack access to security expertise for their failure to budget for or implement what the community considers to be basic defenses, we need to learn how to help municipalities bootstrap cybersecurity based on what they have readily available.

這些不良習慣集中在我們宣揚絕對安全控制方法的趨勢上，這種方法忽略了上下文并降低了問題空間的潛在複雜性。 當我們推動一種貶低他們所面臨的網絡防禦挑戰的叙述時，我們不僅使市政上司人，而且使學校負責人，警察和消防局長，非營利組織負責人，小企業主以及其他類似的小型和民間組織失敗。 。 與其指責那些缺乏預算或無法實施社群認為是基本防禦措施的人而無法獲得安全專業知識的人，不如說我們需要學習如何幫助市政當局根據其現有資源來引導網絡安全。

While teamed with municipal and state security leaders over several months as a volunteer advisor to a statewide municipal security effort, my colleagues often challenged what I consider to be standard recommendations. To reframe my perspective of the obstacles town officials face defending against ransomware attacks, I developed three new habits for aligning my experience to the extraordinary constraints that most municipalities face.

在與市級和州級安全上司者合作數月之久，作為全州範圍内市政安全工作的自願顧問時，我的同僚們經常對我認為是标準建議的問題提出質疑。 為了重新審視城鎮官員在防禦勒索軟體攻擊方面面臨的障礙，我養成了三種新習慣，使自己的經驗與大多數市政當局所面臨的非凡限制保持一緻。

習慣1：保持建議簡單 (Habit #1: Keep Recommendations Simple)

Ransomware defense and response are complex exercises. The cybersecurity community often distills its recommendations into a set of vague control actions (backup, patch, and train) that even sophisticated organizations routinely fail to do well due to factors outside of their direct control. To best help resource constrained organizations, we need to focus our efforts on areas where officials can most rapidly improve cyber defenses. That starts with simplifying our recommendations to what town officials can directly influence.

勒索軟體的防禦和響應是複雜的練習。 網絡安全社群經常将其建議提煉為一系列模糊的控制措施(備份，更新檔和教育訓練)，即使是複雜的組織也常常會由于其直接控制範圍之外的因素而無法正常工作。 為了最好地幫助資源受限的組織，我們需要将精力集中在官員可以最快速地改善網絡防禦的領域。 首先要簡化我們對城鎮官員可以直接影響的建議。

Those of us who have managed enterprise security programs know that effective system patching and security awareness training rely on too many uncontrollable variables to be more than secondary defenses. Patching depends on vendors repairing software and customers applying the fixes before hackers exploit vulnerabilities. Even when patches are available, applying them depends on personnel-heavy inventory and monitoring within a dynamic asset control environment. As for training, my discussions with security executives indicate that even the best trained organizations can maybe thwart 95% of phishing attacks, the most common vector for ransomware attacks. Most organizations should instead expect at least 1 in 3 users to be susceptible.

我們中那些管理過企業安全計劃的人都知道，有效的系統更新檔和安全意識教育訓練需要依靠太多無法控制的變量，而不僅僅是二級防禦。 修補取決于廠商修複軟體以及客戶在黑客利用漏洞之前應用修補程式。 即使有可用的更新檔程式，也要依靠大量人員庫存和在動态資産控制環境中進行監視來應用更新檔程式。 在教育訓練方面，我與安全主管的讨論表明，即使是訓練有素的組織也可能阻止95％的網絡釣魚攻擊，這是勒索軟體攻擊的最常見媒介。 相反，大多數組織應該期望至少三分之一的使用者容易受到感染。

Rather, effective ransomware defense for most organizations begins and ends with backups. As a security control, backups are about the only recommendation that organizations can fully implement on their own. Also, it is the only one of the top recommendations that both helps the organization protect against ransomware attacks and respond to them.

而是，對于大多數組織而言，有效的勒索軟體防禦始于備份，而始于備份。 作為安全控制，備份是組織可以完全完全實施的唯一建議。 此外，它是幫助組織防範勒索軟體攻擊并對其做出響應的最重要的建議之一。

Helping under-resourced organizations like municipalities simplify their decision-making empowers them with confidence that they can make progress despite their constraints. Though their efforts may be imperfect initially, that confidence will breed the long-term knowledge and control needed to maintain effective defenses in a rapidly-changing landscape.

幫助資源匮乏的組織(例如市政當局)簡化決策，使他們充滿信心，盡管受到限制，他們仍可以取得進步。 盡管他們的努力最初可能并不完美，但這種信心将孕育在瞬息萬變的形勢下保持有效防禦所需的長期知識和控制力。

習慣2：使資源可通路 (Habit #2: Make Resources Accessible)

Our bad habit of measuring progress in big bang accomplishments, or worse through the null proof of not failing, betrays a systemic inability to provide guidance that can actually help municipalities defend against and recover from ransomware disasters. Imagine how overwhelming it must be for well-intentioned civic leaders to know that they need help but lack the basis to understand what help they need. Criticizing town officials for inadequate budget or attention to security is condescending because those arguments dismiss how challenging it can be for them to sift through the breadth and volume of the available information to plan for the most appropriate course of action.

我們衡量大爆炸成就進展的壞習慣，或者通過沒有失敗的無效證明而變得更糟，這背叛了系統性的無力提供指導，實際上無法幫助市政當局抵禦勒索軟體災難并從中恢複。 想象一下，好心的公民領袖要知道他們需要幫助，卻缺乏了解他們需要什麼幫助的基礎，這是多麼的壓倒性。 批評市政官員預算不足或對安全性的關注是屈服的，因為這些論點消除了他們篩選可用資訊的廣度和規模以計劃最合适的行動路線的挑戰。

Working from the perspective that ransomware defense is as easy as sound bytes imply, I challenged myself to find authoritative, comprehensive, unbiased resources that could help town officials accelerate their efforts. It proved to be a frustrating exercise to identify helpful resources to aid in backup and recovery planning. Government guidance, both at the state and federal levels, tends to be vague and idealistically comprehensive, lacking the detail that town officials need to get started. Expert guidance, even when not overtly sales-driven, tends to be too detailed and endpoint-oriented, lacking the structured decision-making workflow that town officials need to prioritize their efforts.

從勒索軟體防禦就像聲音位元組所暗示的那樣容易的角度開展工作，我向自己發起挑戰，以尋找能夠幫助城鎮官員加快工作速度的權威，全面，公正的資源。 事實證明，确定有助于備份和恢複計劃的有用資源是一項令人沮喪的工作。 州和聯邦政府的政府指導往往含糊不清且在理論上較為全面，缺乏城鎮官員需要入門的細節。 專家指導，即使不是很明顯地以銷售為驅動力，也往往過于詳盡和以端點為導向，缺乏城鎮官員要優先考慮其工作的結構化決策流程。

Technically, an organization can use built in tools on just about any computer to backup data to a cloud service or connected external hard drive. Practically, business and mission owners have limited knowledge about and often insufficient access to the resources that they need to back up critical services. Even when officials have access, indiscriminate backups are cost-prohibitive for most municipalities and less likely to be verifiably correct.

從技術上講，組織可以在幾乎任何計算機上使用内置工具将資料備份到雲服務或連接配接的外部硬碟驅動器。 實際上，業務和任務所有者對備份關鍵服務所需的資源的了解有限，通常通路權限不足。 即使有官員可以使用，對于大多數市政當局而言，随意備份也是成本高昂的，而且不太可能被證明正确。

To make cyber defenses more accessible, we need to do a better job at guiding town officials through the baby steps to help them build confidence in their capacity to improve their security postures. That more empathetic approach promotes the formation of new supportive habits of critically evaluating available resources against their dependencies to aid strategic decision making.

為了使網絡防禦更加容易使用，我們需要做得更好，以引導鎮級官員通過一些小小的步驟，以幫助他們樹立對其改善安全态勢的能力的信心。 這種更具同情心的方法促進了新的養成習慣的形成，這些養成習慣需要根據可用資源的依賴關系嚴格評估可用資源，以幫助制定戰略決策。

Here in Massachusetts, our early efforts curating resources to help municipalities prepare for ransomware attack culminated in a Municipal Cybersecurity Toolkit hosted by the MassCyberCenter at the Massachusetts Technology Collaborative. For more technical resources that municipal IT folks can leverage right away, check out the great work from the non-profit Global Cyber Alliance, and specifically, its Cybersecurity Toolkit for Elections. While focused on election infrastructure, I think the toolkit provides a great pathway for helping guide municipalities to resources they can quickly leverage to improve their cyber defenses.

在馬薩諸塞州，我們的早期工作是收集資源，以幫助市政當局為勒索軟體攻擊做準備，最終由馬薩諸塞州技術合作組織MassCyber​​Center托管的市政網絡安全工具包達到了高潮。 有關市政IT人員可以立即利用的更多技術資源，請查閱非營利性全球網絡聯盟的出色工作，尤其是其選舉網絡安全工具包 。 在着眼于選舉基礎設施的同時，我認為該工具包為幫助指導市政當局提供可快速利用以改善其網絡防禦能力的資源提供了絕佳途徑。

習慣3：鼓勵通過重複進行改進 (Habit #3: Encourage Improvement through Repetition)

As a youth soccer coach, my players have taught me two key characteristics that breed long-term confidence and success in any activity. First, that motivation to engage comes from recognizing accomplishment. We naturally steer towards the activities that bring us contentment and away from those that confound us. Second, players improve most when given enough opportunity to practice that they develop the “muscle memory” for responding to complex conditions predictably and to execute useful skills more intuitively. Players may not succeed in every practice, but they get better with each repetition.

作為一名青年足球教練，我的球員們教給我兩個關鍵特征，它們可以在任何活動中培養長期的信心和成功。 首先，參與的動力來自對成就的認可。 我們自然會轉向那些使我們滿意的活動，并遠離那些使我們感到困惑的活動。 第二，如果有足夠的機會進行練習，他們可以開發出“肌肉記憶”，進而可預測地響應複雜的條件并更直覺地執行有用的技能，進而可以最大程度地提高運動員的能力。 玩家可能不會在每種練習中都取得成功，但每次重複都會變得更好。

The first two habits support that first characteristic, encouraging town officials to take ownership over what they can individually accomplish based on what they have the power to influence. Cybersecurity can be overwhelming to those who don’t understand it. Pounding harder on town officials only strengthens the barriers that they need to overcome to begin making improvements. This third habit focuses on the second characteristic, leveraging our expertise to help put the official in a position to realize incremental improvement.

前兩個習慣支援第一個特征，鼓勵城鎮官員根據他們有影響力的能力來掌握自己可以完成的工作。 對于不了解網絡安全的人來說，網絡安全可能是壓倒性的。 猛烈鎮政府官員隻會加重他們開始進行改善所需克服的障礙。 第三個習慣側重于第二個特征，即利用我們的專業知識來幫助官員實作逐漸改進。

When conducted in game-like environments, practice reinforces actions that promote positive outcomes. The same is true for effective cyber defense, shown by the thriving market for tabletop exercise facilitation and cyber range wargaming. While even experienced cybersecurity executives reported gaining value from exercises that I have facilitated, I found that non-security professionals also gain incredible insight from well-designed cyber defense exercises. They may not come out with the technical experience to run everything themselves, but the practice enhances communications pathways to respond faster, aids security control prioritization to strengthen controls where they’re most needed, and identifies where new business processes are needed to improve decision-making.

在類似遊戲的環境中進行練習時，練習會加強促進積極成果的行動。 有效的網絡防禦也是如此，蓬勃發展的桌面運動促進和網絡範圍作戰的市場證明了這一點。 盡管即使是經驗豐富的網絡安全管理人員都報告說，我通過我所進行的演習獲得了價值，但我發現非安全專業人員也從精心設計的網絡防禦演習中獲得了不可思議的洞察力。 他們可能不會具備自己運作所有裝置的技術經驗，但是這種做法可以增強通信路徑以更快地做出響應，幫助安全控制優先級劃分，以在最需要的地方加強控制，并确定在哪裡需要新的業務流程來改善決策，制造。

Establishing a backup strategy to improve ransomware defense provides a good opportunity for municipalities to begin building their cybersecurity muscle memory. Whereas most security professionals would rightly suggest starting with a comprehensive inventory of the town’s systems and services as part of a standard Business Impact Analysis, I would have the town official start with a simpler exercise that gets a quick win and can be easily repeated.

建立備份政策以改善勒索軟體的防禦能力，為市政當局提供了一個很好的機會，以開始建立其網絡安全實力記憶。 盡管大多數安全專家會正确建議從城鎮的系統和服務的全面清單入手，作為标準業務影響分析的一部分，但我希望城鎮官員從更簡單的練習入手，以快速獲勝并可以輕松重複。

For example, I suggest starting with a collaborative, incremental process to determine what resources the municipality most depends on to function and prioritizing early actions against backing up those most critical services. The town official should identify the 3–5 people that are most critical to function continuity. Regardless of role or position on the organization chart, there is usually a small number of staff members who everyone trusts to fix problems. They probably know the most about how the organization functions and the dependencies for delivering critical services, making them central to any defensive action. From there, set aside a few hours with the group to whiteboard those functions and dependencies to determine where backups make the most sense and prioritize actions based on available time and resources. The objective should be to establish an action plan against the highest areas of concern.

例如，我建議從一個協作的，漸進的過程開始，以确定市政府最依賴的資源來運轉，并優先考慮采取早期行動來備份那些最關鍵的服務。 鎮官員應确定對功能連續性最關鍵的3-5個人。 不管組織結構圖中的角色或職位如何，通常隻有少數每個人都信任的員工可以解決問題。 他們可能最了解組織如何運作以及提供關鍵服務的依賴性，進而使它們成為任何防禦措施的核心。 在那兒，與小組一起花幾個小時來白闆這些功能和相關性，以确定最有意義的備份位置，并根據可用的時間和資源确定操作的優先級。 目标應該是針對最高關注領域制定一項行動計劃。

Under ideal conditions, I would suggest hiring an expert cybersecurity facilitator to conduct the session, capture results, and report out. But, when resources are too tight to hire support, we should be able to provide some minimum resources that will help kick-start the process and build internal competency without specialized expertise. I found one simple template from the state of Oregon that I think municipalities can leverage to capture results from the session themselves to help determine initial backup needs. Then, by encouraging the town official to establish a regular meeting with that core group to repeat the exercise, we help the municipality build the “muscle memory” it needs to more effectively defend against ransomware attacks through practice.

在理想條件下，我建議您聘請專家網絡安全服務人員來主持會議，擷取結果并進行報告。 但是，當資源太緊而無法聘請支援時，我們應該能夠提供一些最低限度的資源，這将有助于啟動流程并在沒有專門技能的情況下建立内部能力。 我從俄勒岡州找到了一個簡單的模闆 ，我認為市政當局可以利用這些模闆從會議本身擷取結果，以幫助确定初始備份需求。 然後，通過鼓勵鎮官員與該核心小組舉行例行會議以重複該練習，我們幫助市政當局建立了“肌肉記憶”，以通過實踐更有效地防禦勒索軟體攻擊。

翻譯自: https://medium.com/swlh/3-habits-for-improving-municipal-ransomware-defense-c4bd027cad7c

勒索軟體