美國政府給企業/組織對抗勒索病毒威脅的建議措施

日前美國政府發表一封給美國企業的信,信件中提到勒索病毒對世界造成的嚴重影響,給予企業/組織五項建議措施,協助對抗勒索病毒的威脅。


信件內容沒有高深艱澀的專有名詞,取而代之是簡單的建議。讓看這封信的人都可以明白政府給予的建議。


我們說網路無國界,勒索病毒也是一樣。不會說在台灣就不會遭受勒索病毒的攻擊。捕夢網在看完這封信之後,簡單扼要地將這封美國政府給企業/組織的建議信翻成中文,並將文中建議標註出來,方便閱讀。


=====以下為信件內容=====

中文版

信件主旨:對抗勒索病毒威脅的建議措施

勒索病毒攻擊的件數和規模明顯增加,加強國家整體抵禦網路攻擊的能力—無論是企業/組織或公共部門—是總統的首要任務。


在拜登總統的領導下,聯邦政府正在加緊腳步,與世界各地志同道合的合作夥伴合作,以阻止勒索病毒的駭客。這些努力包括破壞勒索病毒網路、與國際合作夥伴合作以追究勒索病毒參與者的責任、制定連貫一致的贖金支付政策以及實現對虛擬貨幣收益的快速追踪和攔截。


企業/組織也負有防止這些威脅的重要責任。企業/組織必須認知說,不論企業/組織規模或所在位置,所有企業/組織都有可能成為勒索病毒的目標。但是,您可以立即採取措施保護自己、客戶和更廣泛的經濟範圍。就像房子有防盜鎖和警報系統,辦公大樓有警衛和保全來應付小偷竊賊,我們建議您認真正視勒索病毒的犯罪,確保您的企業/組織的網路資安足以因應這些威脅。


最近針對美國、愛爾蘭、德國和世界各地其他組織的一連串勒索病毒攻擊中,能反應出最重要的一點是,將勒索病毒視為對核心業務營運的威脅,而非簡單的資料竊取的公司,都能快速做出反應並有效率地從災後恢復。為了解潛在風險,負責主管應立即召集團隊,討論勒索病毒威脅,檢視企業資安狀況和業務連續性計劃,以確保企業/組織有能力繼續或快速恢復營運。


下方詳列美國政府的建議措施—挑選了簡單扼要有效的方法,以幫助企業/組織快速降低資安風險。

我們建議您採取總統行政命令的五大措施:

聯邦政府迅速確實地落實拜登總統簽署的《改善國家網路安全行政命令》。我們以身作則,因為這五大措施影響很大:多重身份驗證(因為密碼本身經常被洩露)、端點檢測和回應(尋找網路上的惡意活動並阻止)、資料加密(如果資料被竊取,將無法被駭客利用)和一個經驗老道、經過授權的安全團隊(快速修補漏洞,整合並共享資安防禦中的風險訊息)。以上這些措施將明顯降低網路攻擊成功的風險。

  • 備份您的資料、系統映像檔和配置,定期進行測試,保持備份離線:

    確保定期測試備份資料,並確保未連接至網路。因為許多勒索病毒企圖尋找、加密或刪除可存取的備份資料。保持您的備份資料離線非常重要,因為如果您的網路資料被勒索病毒加密時,您的企業/組織即可利用備份資料恢復系統。

  • 及時更新和修補系統:

    包括及時維護作業系統、應用程式和韌體的安全性。考慮使用中央控管的修補管理系統;使用基於風險的評估策略來推行您的修補管理計劃。

  • 測試網路安全事件應變計劃:

    進行測試是找出現實與計劃之間差異的最好方法。測試企業/組織的核心安全問題,根據這些問題制定您的安全事件應變計劃。例如,企業/組織能否可以在無法存取特定系統的情況下維持運作?可以維持多久?如果帳務系統無法使用,是否就此關閉生產業務嗎?

  • 檢查您的安全團隊工作:

    使用第三方滲透測試來檢測系統的安全性以及抵禦複雜攻擊的能力。許多利用勒索病毒的駭客極具侵略性以及經驗老道,在他們眼中,您等於敞開大門歡迎他們上門。

  • 分隔您的營運網路:

    勒索病毒攻擊最近發生了變化—從竊取資料到破壞操作。最重要的是,企業/組織的業務和製造/生產營運必須分開,篩選和限制對於營運網路的存取權限,識別營運網路之間的連結。當企業/組織的營運網路遭到入侵,製定應變流程或轉為人工控制,確保核心網路功能可以被隔離的情況下繼續營運。定期測試應變計劃,例如可以轉為人工控制,以便在網路安全事件期間,確保關鍵功能維持安全無虞。


    勒索病毒攻擊已經嚴重擾亂了世界各地的企業/組織,從愛爾蘭、德國和法國的醫院,到美國的輸油管線、英國的銀行。威脅十分嚴重而且持續增加。我們建議您採取上述關鍵措施,來保護您的企業/組織和美國大眾。美國政府正在與世界各國合作,追究勒索病毒的參與組織和包庇他們的國家的責任。但我們無法單獨對抗勒索病毒帶來的威脅,私人企業/組織肩負著明確關鍵的責任。聯邦政府隨時準備幫助您採取上述措施。

英文原版

SUBJECT: What We Urge You To Do To Protect Against The Threat of Ransomware


The number and size of ransomware incidents have increased significantly, and strengthening our nation’s resilience from cyberattacks – both private and public sector – is a top priority of the President’s.


Under President Biden’s leadership, the Federal Government is stepping up to do its’ part, working with like-minded partners around the world to disrupt and deter ransomware actors. These efforts include disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds.


The private sector also has a critical responsibility to protect against these threats. All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location. But there are immediate steps you can take to protect yourself, as well as your customers and the broader economy. Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat.


The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.


To understand your risk, business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations.


Below you will find the U.S. Government’s recommended best practices – we’ve selected a small number of highly impactful steps to help you focus and make rapid progress on driving down risk.


What We Urge You To Do Now


Implement the five best practices from the President’s Executive Order:


President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multifactor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack.

  • Backup your data, system images, and configurations, regularly test them, and keep the backups offline:

    Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

  • Update and patch systems promptly:

    This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.

  • Test your incident response plan:

    There’s nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

  • Check Your Security Team’s Work:

    Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

  • Segment your networks:

    There’s been a recent shift in ransomware attacks –from stealing data to disrupting operations. It’s critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.
    Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany and France, to pipelines in the United States and banks in the U.K. The threats are serious and they are increasing. We urge you to take these critical steps to protect your organizations and the American public. The U.S. Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility. The federal government stands ready to help you implement these best practices.
Additional Resources

FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks
RANSOMWARE GUIDANCE AND RESOURCES