The recent reports of a Cerber zero-day ransomware attack that targets Office 365 may have your organization feeling a bit fearful about your cloud deployment -- or swearing off the idea of ever migrating to the cloud. After all, if you read the reports, you would think the number of Office 365 users affected by the attack, which is a variation of a Cerber attack reported in March, ranged into the millions.
That's the security vendor FUD cycle at work.
As Microsoft MVP and well-known journalist Tony Redmond put it, "a fair amount of hyperbole and erroneous detail" was presented in vendor reports on the attack. Yes, you should be concerned about this latest ransomware attack, which uses a malicious attachment to play a creepy message asking for $500 in bitcoins in ransom per system. But the scope and duration of the attack was misrepresented from what I discovered by looking into the matter.
An attack of this sort doesn't target Office 365 users alone, although it did initially get through their nets. A Microsoft spokesperson said, "Office 365 malware protection identified the attack and was updated to block it within hours of its origination on June 22. Our investigations have found that this attack is not specific to Office 365 and only a small percentage of Office 365 customers were targeted."
In other words, a variety of security companies seized the opportunity to increase FUD in hopes of selling their products -- which isn't the worst thing. In fact, as a reminder at least, FUD mongering can be helpful.
I'm partial toward "truth" rather than sensationalist headlines to push a product -- or better security practices. The reality is too many IT admins are not doing their best to protect their environments. I believe a layered approach is essential to blocking ransomware, malware, phishing, and so on, from affecting your environments. Just because a FUD-based article written by a vendor is the catalyst toward raising awareness doesn't mean it's a bad idea to be more vigilant.
The problem with "Peter and the wolf" reporting by security vendors is that admins may brush the claims aside once they learn the true details of the story, thereby dismissing the genuine threat that lies at its core. Ransomware is very real and can be very expensive if you don't do your best to protect your environment.
Protection against ransomware starts with making sure you're using the tools you already have to their fullest capabilities. For example, Microsoft offers solid advice on how to deal with ransomware, including regular backups, keeping antivirus tools up to date, and providing security awareness and education to your users. This is a great opportunity to ask yourself whether you're using your current tools in a way that best protects your organization. It's also a great time to assess whether you might want to consider adding layers from third-party solutions to ensure multiple nets are in place to catch a problem as fast as possible.
Face it: We all have a little bit of FUD around security, especially in the cloud. Some allow that FUD to paralyze them from moving to the cloud, but my advice would be to transform your fears, uncertainties, and doubts into a deeper drive to do your homework and see what you can do to mitigate the variety of risks your organization is up again. Some of the fear you may have is not even cloud-specific; it's email-specific or social-engineering-specific. You have to educate your users regardless of where your environment resides, on premises or in the cloud.
Using the built-in tools to the full, adding third-party solutions, and training your users are all keys to mitigating risk and FUD. There will always be risks and there will always be fear, uncertainty, and doubt. But it's your job as an IT admin to mitigate both to protect your environment properly.
Take this latest round of security vendor FUD to heart, and direct it instead toward assessing your current security practices.