By: Brandon Polk, Director of Compliance Services
Contextual Security Solutions | February 6, 2017 @ 12:31
Everyone has heard of a computer virus, which is a type of malicious software (malware) that infects your computer and often produces some type of harm or undesired result. Maybe the virus steals your passwords or files, maybe it corrupts your device, or maybe it just annoys you with popups and advertisements. Currently, one of the biggest virus / malware threats falls into a category all of its own: ransomware. Ransomware is a type of malware that secretly encrypts your device’s contents and then demands a ransom payment to decrypt and recover the content.
The FBI estimates that ransomware has become a billion-dollar ($1B) a year business for cybercriminals targeting legitimate businesses of all shapes and sizes. Security researchers have identified a 600% increase in ransomware variants, and recent surveys suggest more than 50% of small and midsized businesses (SMB) have already been victims of these attacks. The research also identifies email as being the most common attack vector but that’s just one small element of an overall attack.
An email in and of itself is rarely malicious… it’s what happens after the email is received that will determine if a cybercriminal will have a payday or not. These emails prey upon the fact that the recipient will open an attachment or click on a link within the email. Furthermore, these criminals are typically hoping to take advantage of a known vulnerability or weakness associated with the device and/or the software running on that device.
Fortunately, a properly implemented PCI compliance program will yield several layers of defense against these types of attacks. The first line of defense should be the email recipient. An effective security awareness training program enables people to identify and appropriately respond to emails and/or other events that may cause harm to an organization or their infrastructure. Training is also a PCI requirement.
Unfortunately, training isn’t enough. The popularity and success rate of these attacks is evidence that training often fails, which is why it’s also critical to incorporate a defense in depth strategy for mitigating and handling these threats. Through compliance with other PCI requirements, your business will be better protected by implementing regular patch management processes to shore up system weaknesses, testing and monitoring processes to identify anomalies occurring on critical systems, and incident response procedures to contain and eradicate a successful attack.
For additional information about the specific PCI requirements mentioned above as well as links to industry resources such as research from Verizon Enterprise, the FBI, US-CERT, and the No More Ransom Project, which provides decryption tools and how-to guides for common ransomware variants, check out the “Defending Against Ransomware” resource guide from the PCI Security Standards Council here: PCI SSC Ransomware Resource Guide