DATA & PRIVACY ARTICLE - PROTECTION AGAINST RANSOMWARE TO COMPLY WITH DATA PROTECTION LAW
Protection Against Ransomware to Comply with Data Protection Law
Successful ransom ware attacks against any Singapore-based organisation will constitue a breach of Singapore's Personal Data Protection Act (PDP. learn about the recommended controls against ransomware attacks to stay on the right side of the law.
In 2021, Singapore’s Personal Data Protection Act (PDP was amended to include mandatory data breach notification requirements. It is now an offence not to notify the affected individuals, if certain conditions are met, and the Personal Data Protection Commission (PDP (refer to Section 26A to 26E of PDPA for more information on these requirements).
Successful ransomware attacks will result in unauthorised modification or disposal of sensitive data, such as personal data, and possible unauthorised exfiltration of such data. Hence, ransomware attacks on personal data is a notifiable data breach.
A common misinterpretation is that as long as there is no detected exfiltration of personal data, one does not need to report successful ransomware attacks on personal data to PDPC. This attitude is akin to playing Russian roulette, as one is trying to avoid the long arm of the law by hiding the fact of successful ransomware attacks. If ever such attacks are made known to the authorities, your organisation will be facing additional charges of breaching the mandatory data breach notification requirements on top of breaching the protection requirements. In other words, your organisation could effectively be held ransom, in a different form, by disgruntled personnel who are aware of such non-compliance with the law.
In summary, to protect your organisations against ransomware attacks, the following security controls are recommended:
1. Business Continuity Planning
- Develop Business Continuity Plan(s) (BCP) with measures to minimise impact to their operations in the event of an ransomware attack.
- Conduct regular BCP exercises should be performed with operational departments and key decision-makers to ensure every stakeholder is familiar.
- Update the BCPs when there are important changes in assets or stakeholders.
2. Incident Response Planning
- Develop Incident Response Plan(s) (IRP) and playbooks, with explicit coverage of ransomware attacks.
- Regular IRP exercises should be performed with operational departments and key decision-makers to test the plans and playbooks before a ransomware attack.
- Update the IRPs when there are important changes in assets or stakeholders.
3. Backup
- Identify critical data and prioritise their protection.
- Develop comprehensive backup and recovery plans for critical data.
- Maintain clean “golden images” of your critical systems allows you to rebuild or recover the critical system in a timely manner.
- Have offline or disconnected backups also ensure the viability of the backups of critical data during a ransomware attack since ransomware is known to transmit over networked storage devices.
4. Access Controls
- Control and limit privileged access to only authorised individuals who require full access to carry out their work.
- Implement multi-factor authentication for such administrative privileges.
- Give users, other than the administrator, the lowest user privileges necessary for work.
- Review and manage the use of all user accounts and disable inactive accounts when they are no longer in use.
5. Data Encryption
- Control and limit privileged access to only authorised individuals who require full access to carry out their work.
6. Patch Management
- Update systems, applications and software to the latest version and ensure that security patches are applied in a timely manner, especially for business-critical functions.
7. Network Security
- Update systems, applications and software to the latest version and ensure that security patches are applied in a timely manner, especially for business-critical functions.
- Monitor their networks and systems closely for suspicious activities, for e.g. monitor and block any suspicious inbound/outbound connections with known malicious IP addresses and URLs, suspicious scanning activities and unauthorised login attempts.
8. Anti-Malware Protection
- Install anti-virus/anti-malware software and keep the software (and its definition files) updated.
- Perform regular anti-malware scans of your systems and networks, at least once a week.
- Removable storage devices should be scanned upon connection.
- Scan all received files for presence of malware, for e.g. received via email or downloaded from the Internet.
- Explore the use of signature-less endpoint protection solutions, such as Endpoint Detection and Response (EDR) or User Entity and Behaviour Analytics (UEB, to defend against zero-day ransomware attacks.
9. Application Control
- Implement application controls to allow only whitelisted applications to run.
- Enable Microsoft Office macros only when required and disable macros by default.
- Do not allow the use of ActiveX controls.
10. User Awareness Training
- Conduct regular training to raise employees' awareness of cyber threats such as phishing emails and malicious websites.
11. Secure Configuration Audit
- Review configuration settings for any exposed services and open network ports to ensure there are no exposed or vulnerable remote administration services such as SSH, RDP, SMB and WMI ports.
With the above recommended controls, your organisation will be in a better position to prevent and to mitigate against potential ransomware attacks.
Have a cyber-safe 2022!
About the Author
Wong Onn Chee | Data & Privacy SIG Lead, MAISP | Association of Information Security Professionals (AiSP)
Wong Onn Chee is currently the Chief Executive Officer at Rajah & Tann Cybersecurity and Technical Director at Rajah & Tann Technologies. His areas of expertise include information leakage protection, web/cloud security and security strategy. Onn Chee is also one of the co-inventors for at least six international PCT patent rights, besides several US, EU and Singapore patents. He volunteers at the Association of Information Security Professionals (AiSP) and is involved in a wide range of AiSP initiatives such as the Data & Privacy Special Interest Group.
Onn Chee is also one of the co-inventors for at least six international PCT patent rights (https://www.wipo.int), besides several US, EU and Singapore patents. He volunteers at the Association of Information Security Professionals (AiSP) and is involved in a wide range of AiSP initiatives such as the Data & Privacy Special Interest Group