I was a witness when malware started spreading in a retail company not long ago. And let me tell you, the expression on people’s faces was chilling. Panic and fear quickly reached boiling point. CIO didn’t recover for days after his interview with the board. In the end, the story ended well. They were able to contain and remove the infection. But many companies lost a lot of money. Some even went out of business.
By following 12 steps, you can prevent the worst.
1. Backup, backup, and backup
You can have the best protection in the world but there is still chance security will get breached and some computers could get infected. If you are lucky computer will get infected with a low-level virus that tries to encrypt local data. That way infection won’t spread and will be easy to remove. All you have to do is to re-image a computer and your IT technician will lose about 2 hours of work.
Malware that is a bit more sophisticated will try to encrypt network shares. If your Antivirus security is average, you will quickly get notified about blocked network shares encryption. But if attackers target your company you will have to do better than install anti-virus software on your computers and servers. When the computer is infected with the targeted attack, they may be just observing and mapping your topology. The planning phase can take up to several months. Their goal is maximum damage so that once the attack is in place, it will create maximum damage so higher a chance for a ransomware payment.
Let’s say bad actors manage to encrypt all data, your company does not have any other option than to pay. The amount of money they require for decryption is mind-blowing. From US 500.000 and even millions. If your data is safely stored and can be recovered, you will save your company a lot of money. Now, about the backup. There are many backup products on the market. Some barely work and there are some amazing products. Price also varies from USD 1000 to USD 100.000. Some companies can pay much more for enterprise-grade backup software.
Performing backup is only one part of the solution. Can you recover all the data? Proper backup testing is essential so that when you need data, you know you will be able to restore it. And how much time do you need? To save time for your admins you can use software that supports automated testing of recovery.
To protect data it is recommended to follow the 3-2-1 rule. Let me explain. You need 3 copies which are stored on 2 different media with at least 1 copy store off-site. Performing a backup this way you will ensure proper diversity and security so that backup is saved and available for when it is needed. In the old days, if your company didn’t have an off-site location (warehouse or second office) you had to rent an expensive data center. Today, IT got so much cheaper and better. You can easily use the cloud with better pricing and availability. And you only pay for the storage you consume. With modern backup solutions, data is compressed and deduplicated so that you save a lot of money. Also, modern backup supports a 3-2-1 rule out of the box just like cloud services.
2. Train your employees
Employee training with security awareness training is the most undervalued protection. Most attacks are performed on the employees via email phishing. If employees can not recognize such attempts, they will sooner or later fall victim and will unknowingly infect their computers. The best solution is that all employees follow cyber hygiene practices. Once they are trained and see the value they will follow those practices even on their home computers and private mobile phones.
3. Next-generation firewall with web and email filtering
I heard from many IT colleagues that they have a web filter capable device installed but they failed to use it due to many services which don’t work. It is true that with increased use of SSL protocols some services are harder to configure but the effort is worth it in the long run. What sets good NGFW vendors apart from the worst is that they have great support and can help with those cases. Another benefit of many NGFW vendors is that they can inspect DNS requests and block the bad ones due to their reputation and machine learning techniques. That way your users can’t reach potentially harmful websites even if they fail to recognize bad attempts. Equally important is email filtering. Some vendors have come up with great solutions to filter and stop phishing emails.
4. Patch management
My heart is breaking when I hear that some IT admins don’t patch their servers as they may have problems with the services running on top. Unfortunately, some software got unsupported. Maybe the vendor stopped developing the product or upgrading would cost a lot of money. In such cases, those servers have to be separated and placed in an isolated environment with limited access. For the rest of the environment, regular patching has to be performed, even if it is not pleasant. With backup and proper procedures in place, just in case the upgrade won’t work. You have to regularly patch IT equipment, networking, storage, servers, AV systems… Oh, don’t get me started with zero days and MS Exchange.
5. Adopt multi-factor authentication
Multi-factor authentication has become a standard for security these days. Most cloud-based solutions already support it. If your organization uses Web-based apps, they may already support 2FA. Even if they don’t support increased security, it is rather affordable to add such functionality. On the other hand, outdated custom-built applications that can’t be modified can be isolated. It is recommended to enable two-factor on all services, especially admins. If your VPN does not support two-factor authentication, you can use tools like Authlite. You can also use Authlite for RDP, VPN, and even Windows accounts.
6. Implement the least privilege
The least privilege is the principle of least privilege (PoLP). It refers to the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform authorized activities. If PoLP principles are followed, even if the user account is breached, the attacker will gain access only to the resources the user has access to. Ideally, you would do that for all the services user has access to. Network share permissions, internal applications the user has access to, and even permissions in those applications (for example, ERP, CRM, etc…).
7. Implement advanced endpoint detection with EDR solutions
Advanced endpoint protection with EDR uses proactive techniques, such as behavioral analysis with machine learning, to identify potential new or complex threats. EDR solutions can quickly identify an attack across your network, and isolate and/or quarantine infected systems. Most importantly they also notify you so that you are aware of potential problems in your network. New advanced techniques make it much more difficult for an attacker to establish a safe harbor on your network.
8. Secure your network services
One of the most common methods for initial access to the infrastructure is the exploitation of insecure network services such as RDP (remote desktop protocol) or VNC. To minimize the risk of exposure from insecure network services, consider the following steps.
• Disable unnecessary services. Begin with a comprehensive assessment of all exterior-facing services and systems. Disable unnecessary services and monitor those that remain.
• Use the power of threat intelligence. Use threat intelligence to your advantage and prioritize prevention and detection practices. Use intelligence from industry vendors to prioritize identification and patching of common vulnerabilities and exposures. Implement SOC (security operations center)implement security best-practices. You can also consider implementing a threat intelligence gateway (TIG). A TIG is a device that sits on the exterior of your network perimeter and is constantly updated with an intelligence feed that lists all the known malicious IP addresses and domains from which many attacks originate. All the information allows it to block most of the attack traffic from bad actors.
9. Create a response plan
Think about the panic once the threat has been identified inside your company. How would you respond? Who would you notify? What actions you would take? Do you know all the services that are affected once the system goes down? How would CEO react? That’s why every organization should have a cybersecurity incident response plan in place. When your organization has a plan that has been tested (even better, practiced regularly) you will prevent panic and delayed reactions. In addition, you will know exactly who to contact (external vendors). The plan also helps to identify all the affected services, backup and restore procedures, and timeframe required for operation.
10. Use application whitelisting
Application whitelisting is a very powerful security mechanism that blocks the execution of any program, executable, or even a script that isn’t allowed. By using application whitelisting, you define the exact programs that you allow to run. Any other executables will get blocked and won’t be started by the operating system. For example, if a user downloads malware and tries to run it, the scrip will get blocked immediately. While application whitelisting is very effective it requires some time for proper implementation.
11. Cyber insurance
It’s hard to make your company bulletproof. There is also a human factor that can make it easy for bad actors to exploit. There were many cases where bad actors were able to gain access to infrastructure because of a human-based mistake. Most commonly found in the cloud. One configuration mistake and you can expose your company database to the world, worse, you can forget to lock the access and hackers can easily take over. Cyber insurance can help when you are out of options. It is expensive, but if needed, it can save the company to go out of business.
12. Implement complex password policies with expiring passwords.
There are still companies that don’t enforce complex passwords with changing of passwords after some time, let’s say 30 days. Just think about the recent example where a vulnerability and exchange could send users‘ passwords to some domains. Passwords were not encrypted and could be seen easily. Also, users tend to reuse the same passwords across all the websites and company resources. If passwords are complex and are changed regularly, the attacker will have a much complex job.
Conclusion
Ransomware protection should be the number one priority for any company. The ransomware threat is growing and penetration techniques are advancing, and security-based companies have a hard time following. Times, when anti-virus protection was enough security-wise, is over. The question is not if, but when your company will become a target. Just look at history, the greatest companies in the defense, avionics, energy have been breached and secrets stolen or data encrypted. The ultimate protection against ransomware and your company data is still bullet-proof data protection. A product like Nakivo Backup & Replication is cost-efficient and enterprise-ready. You can quickly try the product for free and see if it matches your requirements.
Napsat komentář