author photo
By SecureWorld News Team
Thu | Dec 26, 2019 | 4:30 AM PST

When hackers attacked nearly two dozen government entities in Texas with ransomware in August 2019, it made worldwide headlines.

But what's come out since that time is of value value for cybersecurity leaders and teams.

5 lessons from Texas ransomware attack

The State of Texas Department of Information Resources (DIR) took the lead to implement a coordinated incident response to the ransomware outbreak.

And now it has published a list of its top five best practices for mitigating the ransomware risk within organizations.

"Regarding this particular incident, I recommend the following specific security practices," says Nancy Rainosek, Chief Information Security Officer of Texas.

"If your servers or computer systems are remotely administered by internal IT staff or by a managed service provider (MSP):

  • Only allow authentication to remote access software from inside the provider's network
  • Use two-factor authentication on remote administration tools and Virtual Private Network tunnels (VPNs) rather than remote desktop protocols (RDPs)
  • Block inbound network traffic from Tor Exit Nodes
  • Block outbound network traffic to Pastebin
  • Use Endpoint Detection and Response (EDR) to detect Powershell (PS) running unusual processes."

Incident response details in Texas ransomware attack

The DIR best practices list also pulled back the covers on some of the incident response details relating to the ransomware cyberattack. 

For one thing, Texas is ahead of a lot of organizations simply because the State CISO helped create an incident response plan: 

"... a response plan was in place and ready to be put into action immediately. Within hours of receiving notice of the event, state and federal teams were executing the plan and in the field at the most critically impacted sites to begin eradicating the malware and assessing impact to systems."

This success reminds us of what Texas-based cybersecurity attorney Shawn Tuma told us during an interview.

He tells SecureWorld that an incident response plan should never be created on the fly. It needs to be in place and ready to guide your organization during an attack or breach:

"Whenever you have a significant cyber incident, it's chaos. It's catastrophic, or feels that way at the moment. It's like being in a building that's on fire. You're not looking at the finer points, it's a matter of how do I get out and protect what's most valuable."

The Texas incident response plan clearly allowed responders to do what they needed to do.

[See Shawn Tuma live as he keynotes SecureWorld Dallas, October 9-10.]

And they worked quickly, according to the Texas DIR:

"By day four, response teams had visited all impacted sites and state response work had been completed at more than 25% of those sites. One week after the attack began, all sites were cleared for remediation and recovery."

For more, see the Texas DIR ransomware statement.

[Resource: SecureWorld Cybersecurity Conference Calendar]