Undertaking a Ransomware Assessment: Evaluating DevOps Workflow and Security Practices

My plan to tackle this assessment as someone with no prior GRC (Governance, risk management, and compliance) related experience.


4 min read

As part of my role in the new company, I have been assigned a project to conduct a ransomware assessment. This task involves understanding our current DevOps practices and security measures, identifying potential vulnerabilities, and recommending improvements to reduce the risk of cyberattacks.

Using the concepts from the Ransomware Control Matrix (RCX) matrix, I was able to create ten main categories and three to seven sub-categories to begin my evaluation. The following are a few of the most important topics:

Backup and Recovery Processes: A robust backup and recovery strategy is our first line of defense against data loss from ransomware attacks. By regularly backing up data and ensuring that we can recover it quickly and accurately, we can minimize the impact of an attack. I'm evaluating the frequency of our backups, the security (CIA - Confidentiality, Integrity and Availability) of our backup storage, and the effectiveness of our recovery procedures.

Incident Response Plan: A well-crafted incident response plan can significantly reduce the time it takes to respond to and recover from a ransomware attack. I'm reviewing our current plan to ensure it's up-to-date and comprehensive. This includes making sure we have clear procedures in place for identifying, containing, eradicating, and recovering from an attack, as well as for communicating with stakeholders.

Data Loss Prevention: To prevent unauthorized access or disclosure of sensitive information, I'm assessing our current data loss prevention measures. This includes evaluating our data classification, data handling procedures, and the tools we use to monitor and prevent data breaches.

Access Controls: One of the most effective ways to prevent ransomware is to restrict who has access to our systems and data. I'm looking at how we manage user accounts, how we handle privileged access, and how we enforce password policies.

Logging and Monitoring: Effective logging and monitoring can help us detect a ransomware attack in its early stages. I'm checking our current logging policies and practices, and assessing our ability to monitor system activity and detect suspicious behavior.

Business Continuity Planning (BCP): A ransomware attack can disrupt our business operations, so it's crucial to have a solid BCP in place. I'm reviewing our BCP to ensure it includes a plan for continuing critical operations during and after a ransomware attack.

Third-Party Vendor Assessment: Third-party vendors can be a weak link in our security, so it's important to evaluate their security practices. I'm looking at how we assess the security of our vendors and how we manage vendor access to our systems and data.

Vulnerability and Patch Management: Keeping our systems patched and up-to-date is one of the simplest ways to prevent ransomware attacks. I'm assessing our current patch management procedures and our ability to detect and remediate vulnerabilities.

Using the RIIOT method as explained by Douglas J. Landoll in his amazing book, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, I'm gathering data and documenting the evidence to perform the final evaluation. The RIIOT method:

  1. Review Documents

  2. Interview Key Personnel

  3. Inspect Controls

  4. Observe Behavior

  5. Test Controls

Finally, in conducting this ransomware assessment, I'm utilizing a five-level maturity model as a comprehensive framework to evaluate our current cybersecurity measures within the DevOps workflow. This is based on Verve's blog post here: https://verveindustrial.com/resources/whitepaper/5-steps-to-greater-security-maturity-with-nist-csf/
Each level of this model signifies a different degree of sophistication and effectiveness of our processes, and correspondingly, a distinct risk profile.

At Level 1, where formal processes or controls are absent, our organization would be highly vulnerable to ransomware attacks. As I assess each category of our security infrastructure, a Level 1 evaluation would necessitate urgent attention and improvement.

Progressing to Level 2, processes may exist but they are typically reactive and ad-hoc, indicating a still heightened risk profile. If any of our practices fall into this category, it would signal a need for more structured and planned security measures.

By Level 3, our cybersecurity measures would demonstrate standardization and consistency, suggesting a more controlled risk environment. Through the assessment, any areas scoring at this level would show that while we have solid practices in place, there's room for further improvement and refinement.

A Level 4 rating would indicate well-managed, predictable processes that are often driven by metrics, signifying a lower risk profile. As I work through the assessment, finding practices at this level would reflect a mature and reliable defense against ransomware threats.

Finally, achieving Level 5 would mean our processes are not only mature but also continuously monitored and optimized. This would suggest a very low-risk profile and a proactive, rather than reactive, stance against ransomware threats.

Incorporating this maturity model into my assessment allows me to evaluate and score each category of our security practices, providing a clear picture of where we stand and where we need to focus our efforts to enhance our resilience against ransomware.

I'm looking forward to wrapping up this assessment in a couple of weeks. Then, we will dive into the feedback and use it to map out our next steps, focusing on areas where we need to develop processes or build tools to enable automation.