OFFICIAL PUBLICATION OF THE NEBRASKA BANKERS ASSOCIATION

Pub. 18 2023-2024 Issue 4

Tech Talk: The New Ransomware Self‑Assessment Tool (R-SAT)

Changes in Latitudes, Changes in Attitudes

Passion for cybersecurity is one of our company’s core values. In fact, we have shirts to prove it.

Speaking of passion, we can’t help but think of Jimmy Buffet. He is not just a musician and singer-songwriter but also a person who followed his passions and created a lifestyle that inspired millions.

Channeling our inner Parrot Heads, we asked Bing Chat to write a blog linking the recent Ransomware Self-Assessment Tool (R-SAT) updates and the great Jimmy Buffet. Bing Chat responded:

“I’m sorry, but I cannot write a blog about Ransomware Self-Assessment and Jimmy Buffett. These are two very different topics that do not have much connection or relevance to each other.”

Challenge accepted. We hope you find this entertaining and interesting because “if we couldn’t laugh, we would all go insane.”

It was clear that Bing Chat did not attend the recent Conference of State Bank Supervisors (CSBS) webinar on R-SAT 2.0 as we did. The webinar not only introduced the new and improved R-SAT but also provided lessons learned by banks that suffered a ransomware attack.

Using lessons learned from attacks going back to January 2019, regulators expanded the R-SAT from 16 to 20 questions while maintaining the same general look and format as the initial version. The NIST Framework continues to be the foundation of the tool, including identify, protect, detect, respond and recover subsections.

We found the webinar to be a “Cheeseburger in Paradise” and recommend practitioners review the lessons learned report with a “big kosher pickle and a cold draft beer; well, good God Almighty, which way do I steer?”

Changes in Latitudes, Changes in Attitudes

Just as Jimmy Buffett’s song suggests that changes in latitudes can lead to changes in attitudes, a revised R-SAT signals a change in mindset and strategy for tackling ransomware threats in the ever-evolving landscape of cybersecurity.

The Ransomware: Lessons Learned by Banks That Suffered an Attack report suggests that victims of ransomware attacks have gained a newfound appreciation for the R-SAT. Victims indicated a prior compliance-based focus on the R-SAT and overreliance on managed security providers versus fully understanding and directing their ransomware risk mitigation efforts. Most victims identified in the study had not completed or had only partially completed the R-SAT. In other words, we must steer the ship from a compliance mindset to a risk management approach.

Over-confident victims placed undue faith in a partially completed R-SAT, relied on the FFIEC Cybersecurity Assessment Tool (CAT) that was last updated in 2017, or prior examinations and audits that failed to properly evaluate the institution’s cybersecurity preparedness.

Some victims reported a dependency on third parties, such as managed security service providers, rather than fully comprehending the ransomware issues themselves. Still, others knew their R-SAT had not been completed thoroughly or that its completion had been delegated to personnel with insufficient knowledge or experience to provide a credible challenge.

It is essential to avoid considering the R-SAT as just another regulatory compliance process versus leveraging it to thoroughly help evaluate risks and controls. Candidly, the R-SAT is an important tool that should be completed appropriately by those responsible for cybersecurity. Completing the R-SAT can be a first step in developing a ransomware playbook, which is a key component of a comprehensive Incident Response Plan.

Failure to plan for a ransomware event may lead one to feel like they’re on a volcanic island singing, “I don’t know where I’m a-gonna go when the volcano blows.”

Now, let’s slow the tempo and look into key control gaps that regulators identified in the lessons learned report:

The Role of MFA

Multi-factor authentication (MFA) was one control consistently implemented by all victims following a ransomware incident (if they were not already using it). While MFA is not a silver bullet for weak security practices, your R-SAT should document the reasoning for not using MFA. MFA is a seemingly simple security feature; however, there are many variations and implementation methods, each with strengths and weaknesses. Effective implementation and proper configuration of MFA are crucial for obtaining the expected benefits. The new tool places increased emphasis on MFA, which is now an expanded, stand-alone question.

Understanding, Identifying, and Managing “Hyper‑local” Social Media

While you may be unfamiliar with the term, chances are you are already using “hyper-local” social media to some extent. Think of Nextdoor, Facebook Neighborhood, or Citizen, those websites and applications that you use to stay up on the local gossip, complain about the service you received in the drive-up, or if anyone was injured in the wreck you saw on the way to work — the site everyone monitors, which a few very active users usually dominate. Your Incident Response Plan must consider traditional social media and these hyper-local social media platforms.

Banks must stay informed about these platforms and actively check for any false information or adverse feedback that could affect their reputation or customer confidence during ransomware. Banks are advised to establish protocols for crisis communication to manage posts on both hyper-local and traditional social media effectively.

Additional Lessons Learned

Other critical items noted report included the following observations and findings:

  • Expanding cloud usage requires greater awareness of where data is located, as well as which services are cloud-based.
  • Ransomware tactics are changing and now include double and triple extortion techniques, sometimes with accompanying DDoS attacks.
  • Increased emphasis and detail on employee awareness and security training.
  • Controversial practices: Paying an extortion fee for the promise of silence from a criminal emboldens them to continue targeting the banking industry.

Why a Revised R-SAT?

Utilizing the lessons learned report, regulators identified primary drivers for revising the R-SAT model and made notable changes in the question set to further strengthen the tool to reflect the current scope of ransomware threats. The primary drivers for the revised R-SAT included:

  • Changes needed to address the evolving threat environment and bad actor tactics.
  • Changes needed to address changing bank environments and controls.

Notable Changes

  • Increased emphasis on MFA.
  • Identification and management awareness of any data, including cloud-based data, housed in locations outside of the U.S.
  • Increased emphasis and detail on employee awareness and security training.
  • Increased clarity on identifying systems or activities processed or performed internally, outsourced to a third party, or a combination of the two.
  • Identification of systems or activities that are based in a cloud environment.
    Review of cyber framework gap analysis.
  • Checklist of services potentially available through cyber insurance policies.
  • Narrative requesting identification of vendors that do not have ransomware-related controls in place.
  • Procedures to validate the sterility of data backups before restoration to prevent reinfection.
  • Identification of any ransomware threats and risks identified in risk assessments that have not been appropriately remediated or mitigated to an acceptable risk level.
  • Identification of new preventative controls.
  • Identification of new or reworded Incident Response Plan considerations.
  • Considerations for third parties engaged in the event of an attack.

Be Like Buffett: Turn Challenges into Opportunities

With ransomware remaining one of the most visible cyber threats, all organizations remain at risk. For the unprepared, the consequences can be severe, including damage to the brand or reputation, regulatory consequences, impacts on operations and failure of the institution. While a comprehensive plan is valuable, a plan itself does not negate the need for strong leadership during crisis management.

“Roll with the punches, Play all of his hunches, Make the best of whatever came his way.” These lyrics are worth contemplating in light of the recent MGM Resorts and Caesars ransomware attacks and how each management team responded. Each management team had a choice to either negotiate a ransom amount and hope for a speedy recovery or refuse the extortion payment and attempt to recover. Neither choice is a clear win, and each choice leads to its own set of ramifications.

Turning challenges into opportunities was a hallmark of Mr. Buffett’s legacy and a lesson in leadership. The R-SAT is not a test to pass or fail but an opportunity to prepare your team for the uncertain challenges of a ransomware attack, as well as a critical step in developing an incident response plan playbook for responding to ransomware.

Shane Daniel is the Information Security Consulting Team Lead and Laura Zannucci is the Senior Information Security Consultant/ISO for SBS CyberSecurity, LLC. To learn more, please visit sbscyber.com.