Ransomware Holiday Hacks: Practical and Shareable Cybersecurity Tips

Ian Reay

November 18, 2021

The holiday season is here, and it creates a potential cybersecurity mess for IT professionals that rivals a room of unwrapped presents on Christmas morning. Information security and technology professionals already face growing hybrid work environments that mix home and organizational networks and personal and business devices. 

An attack can target your organization at any time of day, night, or year. However, during the holidays, employees and users are extensively shopping on websites that could be less than secure. They're purchasing new services and subscriptions (and creating new passwords for them all). At the same time, your IT and security teams will be operating at skeleton crew levels, leaving your networks more vulnerable to attack. Add in the heightened state of ransomware attacks heading into this year’s holidays, and that’s a recipe for trouble.

Now more than ever, organizations need secure authentication to stay competitive. However, passwords continue to be the most prevalent verification method, although poor hygiene and weak authentication can make them very susceptible to social engineering and theft. Businesses must better arm employees in the battle against hackers to defend against the additional cybersecurity risk the holidays may bring. 

Your organization can protect against ransomware, password vulnerabilities, and bad personal credential practice habits with actionable cybersecurity steps around password hygiene, authentication, and more, making the season merry and bright — and secure.

 

Implement Good Password Hygiene  

As employees download new services, sign up for new platforms, and shop during the holidays, they might inadvertently put your company at risk through everyday actions such as:

  • Using the same password at work for personal websites
  • Using deficient passwords they might not even realize are weak
  • Using previously compromised passwords or known password lists

You don’t want a security breach at an online retailer to be traced back to your employee through an email address that happens to use a manually synchronized password.

You can take some simple and very approachable steps to ensure that employee work passwords are different from those used for personal shopping sites. These include:

  1. Require employees to change their passwords based on a policy and block them from re-using old passwords. Even if they use a password on a personal shopping website, it won’t be useful for long. 
  2. Verify passwords your employees choose against the Hitachi ID Bravura Pass integration with Azure AD Password Protection Plugin or Hitachi ID HaveIBeenPwned Plugin. These plugins ensure that these passwords are strong and not on known lists of compromised passwords.

These two simple steps are essential safeguards your organization can implement to pick up the slack on good credential hygiene. Additionally, take the time to educate employees on what makes a good password and how to avoid a compromised password to improve their employee and personal security by learning what is necessary to have secure online identities.  

 

Adopt MFA

MFA doesn't have to be complicated. It can be as simple as a link or a pin to your email or your phone. Yet, the benefits are substantial. Your organization is more vulnerable without an MFA strategy. For example, an employee could get locked out of a personal account with a retailer and use their work password for the website. It's convenient. It's something they know. It’s human nature. Soon afterward, a ransomware engineer hacks the retail website, and without a second authentication factor or MFA, hackers now have access to your business' network and online services.

IT professionals design MFA to block these attacks dead in their tracks. The ransomware Grinch doesn’t have access to users’ email accounts or phones. Simply obtaining a known password won’t be enough. A hacker would need to intercept the additional authentication component or undertake far more invasive lateral movements through your online identities to leverage an exploit. 

Carefully consider your MFA implementation across your networks and online services. If MFA is missing from a vital resource, take action to:

  • Enable federated authentication using a password management platform like Hitachi ID Bravura Pass or identity access management (IAM) solution such as Hitachi ID Bravura Identity.
  • Adopt basic authenticator applications to protect the accounts in question if federation isn’t an option. 

Take these essential steps to keep the Grinch’s hands off your network of presents.

 

Review Your Employee Standing Privileges

Growing identity-based security often involves ensuring users' standing privileges in your organization fit their role in the organization. Make an informed assessment about the risks to your organization when an employee's identity is compromised and follow the principle of least privilege (PoLP) and grant access for only as long as it's needed for highly-sensitive privileges, Just-in-Time (JIT) access.

The Hitachi ID Bravura Security Fabric can help you in this evaluation. Through Hitachi ID Bravura Identity, entitlement certification and role-based access controls, you can right-size the standing privileges your employees have, ensuring the risks are tolerable, and your organizations can take steps to recover your operations if an exploit should occur.

When some entitlements are simply too sensitive to allow people to hold all the time, consider a privileged access management solution such as Hitachi ID Bravura Privilege. You can use it to remove these sensitive standing privileges and simplify experiences by allowing people to request them when needed. Hitachi ID Bravura Privilege supports multiple strategies. A few common ones include:

  1. Personal admin accounts that protect these standing privileges behind randomized credentials never known to the administrator
  2. Shared credentials that can be requested when needed to apply administrative experiences
  3. Directory entitlements IT and security can grant directory accounts when needed and removed once maintenance work is done, JIT access privileges

These simple strategies ensure that when your employees leave for the holidays, their accounts lack the “keys to the castle” level access that the ransomware Grinch craves. You can rest assured you've foiled his nefarious plans. 

 

Embrace that Zero Trust Is a Journey

 Zero Trust is a security approach that addresses new network hybrid and holiday realities by trusting no one — internal or external to your organization.

Instead of approaching security as a closed, perimeter-based system, Zero Trust wraps security around every user, device, and connection for every single authentication, providing your organization with adaptive and continuous protection for users, data, and assets. The result? You can proactively manage threats. 

This post provides several fundamental and easily adaptable ways to improve your Zero Trust journey by taking actionable steps with quick ROI, such as:

  • Improve your employee credential hygiene.
  • Augment credentials with MFA to add additional hurdles for the Grinch to clear.
  • Minimize standing privileges so even a resourceful ransomware Grinch cannot lay hands on your network of presents.
  • Apply JIT for privileges that can never be compromised. 

With these on your organization’s list, you can combat ransomware (and the hacker Grinch) this holiday season.

Register for our Zero Trust executive eRoundtable series Zero Trust Maturity Matters happening this November. These sessions are ideal for designing your organization's information security strategy and program across three levels of a Zero Trust paradigm.

Register for Roundtable

Gain insight into vulnerabilities, cyber education, and Zero Trust with our one-minute white paper: Employees from Nearly 50% of Businesses Have Been Approached to Assist in Ransomware Attacks, Hitachi ID Survey Reveals.

Download the One-Minute White Paper