Ransomware - There's a Tool for That - WST

In a previous WST, you may have noticed a bulleted item for a Ransomware Self-Assessment Tool (R SAT). Or you may not have. Regardless, it's something you'll likely be hearing more about, so this week we're going to take a closer look at it.

There can be no denying that ransomware has had a significant and increasing impact on organizations of all sizes across multiple industries. With a reported average of 16 days of downtime and an average payment of $84,000 last year, ransomware was the second most common malware incident type and the third most common breach type according to the 2020 Verizon Data Breach Investigations Report. Financial institutions are among the most targeted for ransomware, but no industry is immune. In October of 2020, the R-SAT was designed by the Bankers Electronic Crimes Task Force, State Bank Regulators, and the U.S. Secret Service to give financial institutions another tool in their arsenal to identify gaps in their information security postures that could leave them susceptible to ransomware attacks.

Quick show of virtual hands - who has heard of the R-SAT? There are already calls from a couple of state banking regulators to have the worksheet filled out in January (AL, OH). Others are asking that it be completed and submitted for review in Q1 (AR). To see how your institution may be impacted, an Internet search for "Ransomware Self-Assessment Tool" and your state should lead you to relevant information unless your state hasn't made a statement yet.

So, what is this remarkable new tool that's going to save your institution from the scourge known as ransomware? First, let's do a quick sanity check. The R-SAT is NOT a magical inline filter that plugs in to your external firewall interface, immediately identifies all ransomware and unmercifully squashes it like the unholy vermin it is. Rather, it's a questionnaire designed to help you think about things you may not have thought of before about your network security posture. Sixteen questions are presented that cover areas like:

• What compliance framework(s) are you using, if any?
• What kind of controls and policies do you have in place?
• What types of data do you have (and where it is stored)?
• What assessments have you performed?

At this point you may ask, "How is that any different from any other audit or assessment I already do nineteen times a year?" Candidly, it's really not much different. However, have you ever taken an audit report and said, "Yeah, this shows me EVERYWHERE I'm vulnerable to ransomware!" Unlikely. And that is where the R-SAT differentiates itself. It helps you to take information you may already have and consider it in a different context. And, like any self-assessment, the R-SAT is only going to be useful if you're completely honest with your answers. This isn't an attempt at playing "Stump-the-Chump;" the answers you provide can help your Risk, Compliance, and Information Security teams (or team, if all areas are handled by one group or person) get a better understanding of the areas that may require some additional focus, which should aid your C-level execs and board members get an idea of how vulnerable (or not) your institution is.

At this point, if your interest is at all piqued, the best idea would be to download the R-SAT and start filling it out. You can find it at https://www.csbs.org/ransomware-self-assessment-tool. Happy hunting!

Authored by: Rich Whyrick, MCP, ITIL, Security+