Best Practices for Ransomware Defense
Ransomware has the potential to destroy business data, cause millions of dollars in revenue loss, ruin your business’ reputation and sully your brand. Such an attack erodes trust, and customers will leave en masse.
Investing in security may seem expensive, but the true cost of a successful ransomware attack hugely outweighs this expense.
Security is a balancing act; no one wants an environment that is so secure that it becomes restrictive, and a system that is too open will be compromised in no time. We know that the attack vectors of a ransomware attack usually follow the same conventions. Malicious access is gained via a network when a user has accessed or downloaded a harmful ransomware payload. We also know that ransomware is nearly always triggered by human error. So what can be done?
Protect the Network Edge
All inbound traffic should be logged and all email communications should be aggressively scanned for malware, phishing and spoofing content. Firewalls are built specifically for this task. Configure them to block old versions of JavaScript attachments, old Microsoft Office file versions and anything with an embedded macro.
Consider additional internet browser security controls or policy rules to prevent users from clicking bogus hyperlinks. Scan URLs and user sign-on screens for unexpected embedded code.
Harden Systems and Perform Vulnerability Scanning
All servers and workstations must be patched with the latest operating system and application security updates. Keep abreast of any vendor-reported system vulnerabilities and application exploits. Exploits are often needed by a hacker to compromise a server, so fix any vulnerabilities by patching regularly.
Exploit kits look for vulnerabilities in all of the popular web browsers and in tools (like the soon-to-be-deprecated Adobe Flash) which have a reputation for numerous security vulnerabilities. Hackers rarely target new, zero-day exploits; instead, they target common vulnerabilities, such as an out-of-date JavaScript library to deliver a payload.
Vulnerability management tools can audit infrastructure and report against extensive threat libraries to detect common vulnerabilities and exposures (CVEs). This can be used to create an action plan to fix issues based on their severity. Most fixes will come in the form of an update, so make sure you’re patching servers regularly.
Protect Front-End Services
Any web service that exposes resources to the public internet is a target for hackers. Content management systems (CMS) like WordPress, Joomla and Shopify all are big targets due to their popularity.
Limit any cloud services you have from exposure to the internet, as ransomware is frequently delivered by exploiting weak passwords used by the remote desktop protocol (RDP). Cloud computing has simplified the way digital resources are consumed, but there are countless RDP, SSH and FTP connections secured with a default password or a basic password that can be cracked by a brute force dictionary attack in seconds.
A great way to protect infrastructure is to partner with a security-focused managed service provider. This will help ensure that front end services are secured, the network layer is hardened and the infrastructure is patched to protect against the latest vulnerabilities and threats. All you need to worry about is creating a strict password policy.
Monitoring and Alerting
These two technologies really help to combat ransomware, and the key to doing it successfully is logging. Smart, intelligent logging tools can decipher terabytes of logs in no time, SIEM applications can make sense of huge datasets, triggering alerts to unexpected behavior on the network.
A security team will need to respond to monitoring alerts promptly, and the business must ensure the correct access to combat any genuine ransomware attack. Consider purchasing a tool that enables engineers to gain direct access to a compromised server.
Backups, DR, and High Availability
Failing to prepare is preparing to fail. All businesses should have a robust and thoroughly tested backup strategy. Often, the quickest way to recover from a ransomware attack is to restore affected systems from backup. That won’t be possible if you have no backups! So, make sure you implement a backup strategy if you don’t already have one.
Furthermore, consider disaster recovery options. This could be a complete disaster recovery-as-a-service (DRaaS) solution where production workloads can be moved to a secondary location in a matter of minutes. You also should document an end-to-end disaster recovery plan in the event of a breach.
Educate the Workforce
A significant challenge your business will face is educating users about why security is important, and why robust controls are needed.
Finally, and, arguably, one of the most important protections against ransomware, is educating the workforce about cybersecurity. Every employee has the potential to expose your business to a cyberattack, whether unintentionally or not. Education is a continuous improvement initiative, refreshed regularly so each employee completes regular security awareness training, learning topics such as how to spot a phishing email, a fake URL link and rogue websites. Test employees’ knowledge via social engineering to see how well they perform. This approach is not a blame game, but a real-world test to see how the employees handle certain situations, enabling employers to show the true value of cybersecurity.
