NIST has released a draft Cybersecurity Framework Profile for Ransomware Risk Management to help organizations prevent, respond and recover from ransomware attacks.
The Ransomware Profile is intended to be used by organizations that have adopted the NIST Cybersecurity Framework and want to improve their risk postures or any organization that has not yet adopted the Framework but wants to implement a risk management framework to meet ransomware threats. The Ransomware Profile can be used to identify and prioritize opportunities for improving their ransomware resistance.
The Ransomware Profile outlines basic measures that can be implemented to improve defenses against ransomware attacks. These include the use of antivirus software, ensuring scans are automatically conduced on emails and flash drives, keeping computers fully patched, blocking access to known ransomware sites, only permitting authorized apps to be used, restricting the use of personally owned devices, restricting the use of accounts with administrative privileges, avoiding the use of personal apps, and conducting security awareness training to warn employees about the risks of clicking links or opening files sent from unknown sources. These measures alone will help to significantly reduce ransomware risk.
Should a ransomware attack succeed, it is essential for organizations to be prepared as this will allow them to limit the damage caused and accelerate the recovery time. That requires an incident recovery plan, maintaining an up-to-date list of internal and external contacts for ransomware attacks, and ensuring a comprehensive backup and restoration strategy is implemented.
Ransomware Profile is divided into five categories:
Identify is concerned with developing a thorough understanding of cybersecurity risks to systems, people, assets, data, and capabilities, which is essential for effective use of the Framework.
Protect involves implementing safeguards to prevent critical services from being disrupted to allow a business to continue to function
Detect is concerned with implementing systems that can detect intrusions prior to the deployment of ransomware, including maintaining logs and conducting audits when anomalous activity is detected.
Respond is concerned with taking appropriate actions to contain a ransomware attack
Recover concerned with implementing appropriate activities to restore capabilities and services that have been impacted by a ransomware attacks and taking steps to minimize the probability of future successful ransomware attacks to restore confidence among stakeholders.
NIST is accepting comments on the draft Ransomware Profile until July 9, 2021. After the revised Ransomware Profile is released, there will be a further comment period before the final Ransomware Profile is published.