BitSight research demonstrated some organizations are more than eight times as likely to become ransomware victims.
May 2021 is proving that the ransomware trend is running ahead nearly unabated. In the US, the Darkside APT group crippled the largest fuel supplier in the northeast, causing a system wide shutdown affecting nearly the entire US east coast’s fuel supply for several days. In Europe, a double whammy hit the Irish health system when the Health Service Executive, Ireland’s health care operator and its Department of Health suffered a ransomware attack forcing a shutdown within its IT infrastructure.
The collateral consequences of ransomware also include cost to insurance companies who underwrite cybersecurity policies. While they conduct diligence in the form of cyber risk assessment questionnaires and assessment of cybersecurity performance data—BitSight cyber insurance clients underwrite more than half of the global cyber premium—no security ratings provider has conducted a correlation to ransomware study with definitive results. Until now.
While no organization is immune from determined cyber criminals, there are best practices for minimizing the likelihood of being victimized. Chief among them is a relentless focus on core security hygiene - that common practice of ensuring cybersecurity controls, practice, and people are performing effectively every day. While best practices are widely acknowledged, it’s clear performance excellence is only being achieved by a few leaders.
BitSight’s research team analyzed hundreds of ransomware events since Nov 2018 to estimate the relative probability that an organization will experience a ransomware event. The analysis looked back over five six-month periods benchmarked against companies with high BitSight rating (750+) for security effectiveness.
Overall, the data shows that organizations with a rating lower than 600 are 6.4x, and organizations with a rating between 600-650 are 4.6x more likely to be a ransomware victim compared to the benchmark of organizations with a 750+ rating. BitSight continuously and non-intrusively assesses organizational cybersecurity performance by evaluating security performance observations across 23 different categories, including compromised and exposed systems, critical vulnerabilities, patching rates, software security, and other key issues. BitSight processes more than 250 billion security measurements on a daily basis to provide an objective security rating (using a 250-900 scale) based on its observations that is independently verified to be correlated with breach risk.
Risk Based on BitSight Rating
Digging deeper into what BitSight calls individual risk vectors, patching cadence (the elapsed time between software patches becoming available compared to when patches are implemented) is a strong security program performance indicator. The more time that passes between patch available and patch implemented indicates lower performance. Unsurprisingly, poor patching performance correlates to a nearly sevenfold increase in ransomware risk for companies with a C grade or lower. TLS/SSL certificate and configuration management offer comparably strong security program performance indicators. Companies with a C grade or lower in TLS/SSL Configurations are nearly four times more likely to be a ransomware victim and companies with a C grade or lower in TLS/SSL Certificates are roughly 3 times more at risk of a ransomware incident,
Risk Based on Patching Cadence Grade
In the above chart and the two that follow, letter grades provide a quick way to understand how a company is performing in each risk type, and also provides a meaningful way to compare risk type performance of one company to another.
Letter grades are directly correlated to how well a company is performing, relative to all companies in the BitSight inventory. Below is a table that outlines how each grade correlates to their performance, relative to their company size:
Risk Based on TLS/SSL Certificate Grade
Risk Based on TLS/SSL Configurations Grade
Ransomware attacks have been rising at an alarming rate — with victims ranging from one of the largest fuel suppliers in the United States to Ireland’s Department of Health. Download our ebook to learn more about:
Looking for a deeper understanding of the relationship between our security data and ransomware incidents, the BitSight data science team tested all the confirmed vulnerabilities used in the BitSight rating for correlation with ransomware incidents. Using a statistical analysis, they found five interesting cases where presence of a particular vulnerability indicated heightened risk of a ransomware incident.
|
Vulnerability |
Increased Risk of Ransomware |
|
CVE-2014-3566 |
1.5 |
|
CVE-2016-0800 |
1.3 |
|
CVE-2012-6708 |
1.3 |
|
CVE-2018-13379 |
1.8 |
|
PulseSecure Group |
2.6 |
CVE-2014-3566 is the POODLE vulnerability and CVE-2016-0800 is the Drown SSL vulnerability, these are both related to obsolete SSL protocols and by themselves pose no serious threat to companies. However, tens of thousands of companies have been running servers that allow these obsolete protocols. Similarly CVE-2012-6708 is an older jQuery vulnerability which is an unlikely attack vector and has been detected in nearly 20 thousand companies.
The vulnerability CVE-2018-13379 and a group of vulnerabilities associated with PulseSecure VPN devices are more interesting. CVE-2018-13379 is associated with Fortinet VPN devices and has a CVSS score of 9.8. For PulseSecure devices, there are seven vulnerabilities from 2019 which are often seen together; of these CVE-2019-11510 is the most significant having a CVSS score of 10.0 which is the highest possible value. Both of these vulnerabilities are very likely attack vectors and were specifically called out by US Government agencies: CVE-2018-13379 by DHS and CVE-2019-11510 by the NSA.
Overall the research demonstrates the correlation of BitSight’s overall rating and performance against three risk vector ratings that provide clear ransomware risk indicators. Furthermore, analysis of specific vulnerabilities complements observations made regarding patching cadence resulting in increased ransomware risk.
The BitSight rating and three specific risk vectors provide strong ransomware risk indicators. Overall, the rating and risk vectors offer a statistically valid reflection of overall security practices. In other words, organizations whose practice is to have long elapsed times between updates becoming available and patches implemented is very likely representative of practices in other security domains. Therefore, while rating and risk vectors offer specific evidence. The elevated ransomware risk will simply shrink by improving patching cadence. Risk reduction will come from an overall improvement in practices.
Regarding vulnerabilities, BitSight data concludes that there are two main possibilities for the correlation between the select vulnerabilities and the likelihood of suffering a ransomware event:
The research demonstrates how daily security program performance matters. As organizations deploy anywhere from 20 to 50 discrete security controls, leadership teams everywhere are asking the question, “Is my organization protected?” The answer is not about how much you spend, but rather how diligently controls are maintained. Cyber attacks rarely employ novel, never before seen techniques, like zero day attacks. It is far more common for attackers to acquire customizable tools available on the dark web to exploit a series of vulnerabilities and weak controls to wreak havoc.
Interested in how effective your security controls are against combating risk? Contact BitSight to get started managing your risk landscape or download our datasheet on how BitSight Security Ratings correlate to Ransomware.
Request your free custom report and see how you can start reducing your cyber risk exposure across your digital ecosystem: cloud assets across all geos & subsidiaries; discover shadow IT; security risk findings; and more!
