NIST Preliminary Draft: Cybersecurity Framework Profile for Ransomware Risk Management June 2021

Preliminary Draft NISTIR 8374
June 2021

Introduction

The Ransomware Profile defined in this report maps security objectives from the Framework for 64 Improving Critical Infrastructure Cybersecurity, Version 1.1 [1] (also known as the Cybersecurity Framework) to security capabilities and measures that support preventing, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization's level of readiness to mitigate ransomware threats and to react to the potential impact of events. The profile can also be used to identify opportunities for improving cybersecurity to help thwart ransomware.

1.1 The Ransomware Challenge

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and  demand payment to restore access. In some instances, attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware disrupts or halts an organization’s operations and poses a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and restore operations themselves. The methods used to gain access to an organization’s information and systems are common to cyberattacks more broadly, but they are aimed at forcing a ransom to be paid. Ransomware attacks target the organization’s data. 

Fortunately, organizations can follow recommended steps to prepare for and reduce the potential for successful ransomware attacks. This includes identifying and protecting critical data, systems, and devices from ransomware, and preparing to respond to any ransomware attacks that succeed. There are many resources available to assist organizations in these efforts. They include information from the National Institute of Standards and Technology (NIST), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS). 

The security capabilities and measures provided in this profile support a detailed approach to preventing and mitigating ransomware events. Even without undertaking all of these measures, there are some basic preventative steps that an organization can take now to protect against the ransomware threat. These include: 

  • Use antivirus software at all times. Set your software to automatically scan emails and flash drives. 
  • Keep computers fully patched. Run scheduled checks to keep everything up-to-date. 
  • Block access to ransomware sites. Use security products or services that block access to known ransomware sites. 
  • Allow only authorized apps. Configure operating systems or use third-party software to allow only authorized applications on computers. 
  • Restrict personally owned devices on work networks. 
  • Use standard user accounts versus accounts with administrative privileges whenever possible. 
  • Avoid using personal apps—like email, chat, and social media—from work computers. 
  • Beware of unknown sources. Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.

Steps that organizations can take now to help recover from a future ransomware event include:

  • Make an incident recovery plan. Develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan. 
  • Backup and restore. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data. 
  • Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement. 

1.2 Audience

The Ransomware Profile is intended for a general audience and is broadly applicable to organizations that:

  • have already adopted the NIST Cybersecurity Framework to help identify, assess, and manage cybersecurity risks; 
  • are familiar with the Cybersecurity Framework and want to improve their risk postures; or 
  • are unfamiliar with the Cybersecurity Framework but need to implement risk  management frameworks to meet ransomware threats.

View the entire report below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272

More on John Riggi
Learn more about AHA's Cybersecurity and Risk Advisory Services

Key Resources

Related Resources

Special Bulletin
Red Cross, America’s Blood Centers, AABB Say U.S. Faces Critical Blood and Platelet Shortages
Public
Advancing Health Podcast
Going International: The FBI's Global Fight Against Cybercrime
Public
Advisory
American Hospital Association and Health-ISAC Joint Threat Bulletin - TLP White
Public
Advisory
Hospitals in Florida, Other States Impacted by Effects of Cyberattack on Blood-donation Nonprofit OneBlood
Member
Advisory
Ransomware Group Warns of Potential Cyberattack
Member
Advisory
New Resources and Offers for AHA Members to Bolster Cybersecurity Efforts
Public