1 March, 2023
Per the recently posted FedScoop article by John Hewitt Jones, titled U.S. Marshals Responding to Ransomware’ Major Incident’ on 22 February, “the U.S. Marshals (USMS) declared a major incident after briefing senior agency officials and is working to address any potential risk arising from the incident.” The article continues on Tuesday, 28 February; the USMS announced they are responding to a ransomware and data exfiltration event affecting a standalone IT system at the Department of Justice bureau. (https://fedscoop.com/us-marshals-service-responding-to-ransomware-major-incident/)
By now, we are familiar with ransomware and what it is, but if you are not, ransomware is malicious software designed to block access to a computer system until a sum of money is paid. Data exfiltration is the unauthorized transfer, copying, or retrieval of data from a computer or device, usually performed manually or by malware or other techniques.
The USMS breach occurred via a standalone system (a computer system that stands on its own with no connection to the internet. Any task or data associated with that computer stays inside the computer and is not accessible from anywhere else). This highlights standalone systems require the same scrutiny level as systems that connect to the internet or a cloud.
Many commercial and private businesses, local and state governments may not fully grasp the threats that facing systems (e.g., standalone, connected to the internet, or a cloud). These threats are real and need to be taken seriously. Below are three essential tips to mitigate the risk of compromise to your business, information, and systems:
- Configuration Management. Know what systems you have connected to your internet or accessing your information. Establish controls around your data to prevent and notify a security professional when an unauthorized MAC or IP address tries to access it. Your organization should establish and document a standard setup of tools and software for every information system on your network. This baseline should be change controlled, and any deviations from the baseline should be identified, documented, and approved before implementation.
- Auditing. You must audit your systems and cloud for anomalies at least weekly. When establishing an audit program, you must ensure that actions of individual systems users can be uniquely traced back to those users (MAC, IP address, login ID), identify auditable events, and establish an event logging process failure. You can review audit records, analyze them, and investigate anomalies.
- Access Control. Controlling who accesses your network and information is just as critical. Now that your organization knows what systems can be on your network (configuration management), you must ensure you control who accesses the data or network. It needs to be MANDATORY, MANDATORY, MANDATORY that everyone utilizes multifactor authentication (MFA). A username and password are not enough anymore. You’ll need additional factors to prove it is an authorized individual accessing your data or network.
Should your organization need support implementing your cybersecurity practices, contact us. Our team of professionals is prepared to support you.