8 Smart Ways to Protect Against Ransomware
Ransomware remains very much a human problem.
December 13, 2018
![Ransomware Ransomware](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt77046094425e9659/65245c8f9a150674b48063cb/shutterstock_640583191.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Security training for end users is essential to keeping awareness high; it’s also important to establish the right training frequency to avoid fatigue, according to security consultants and IT trainers.
Regular training remains the best way to refresh user knowledge about password resets, social engineering and company security policies. It’s also a great time to review how to deal with emails that might not be legitimate. Since phishing is the most common method of ransomware infection, regular review of email best practices is essential.
“I’m seeing a lot more synthetic phishing simulations, where organizations phish their own employees to train them,” said Jon Oltsik, senior principal analyst with Enterprise Strategy Group. Did the end user mouse over the alleged sender’s address for anomalies? What about misspellings, weird capitalizations or odd punctuation in the body of the email? Does something look a little off about the embedded logo in the message header or sender’s signature line?
See who takes the bait and maybe turn the exercise into a contest among departments. Regardless, phishing simulations let the IT department and the C-suite see just how effective training has been, without infecting a single server or desktop, or paying a single cent in ransom.
This is almost a no-brainer where ransomware is concerned: Set up flags or alerts for any encryption taking place on servers, desktops or storage platforms; add an additional layer of permissions, if possible.
“If you can identify a behavior where you start to see data being encrypted, you can then compartmentalize and restrict that action till it’s been authorized,” said IP Architect’s Pironti.
If there’s a way to identify encryption activity, IT can then make its response part of a permissions conversation and a way to shut down ransomware before it does its dirty work.
Pironti can also foresee the difficulty in discerning malicious encryption behavior from appropriate, authorized encryption.
“If a user is working with .zip files, then they have to use encryption,” he noted. Getting another round of permissions to use it could become a real hassle if that’s a regular part of that user’s job.
But it’s a judgment call that security pros will have to make, since any encryption, authorized or not, is a notorious drag on network performance.
“IT and security are always challenged with maintaining the user experience,” Pironti said. “There are so many cool things you can do, but not if it slows down the business.”
Ask any airline pilot: Rules and restrictions keep everyone safer. And IT pros will hasten to add that end users will try to do things with email, accounting and scheduling software that were never envisioned, but inadvertently expose the organization to varying levels of risk.
Sometimes that user activity is unconscious, sometimes not, Pironti says.
“Users will always find their way around things if they don’t like how something is set up,” he said. And the problem there is that they may resort to covert means that IT cannot see or prevent.
That’s why ESG’s Oltsik advocated for organizations and enterprises adopting some sort of applications whitelisting protocol, if they don’t already have one in place.
“Whitelisting could be helpful especially on critical systems,” he said.
Freeware, Webmail and up-and-coming blockchain apps may all inadvertently expose to organizations to ransomware and other malicious code. Better safe than sorry.
Endpoint security has proven an enduring trend for protecting organizations and their data, and it’s only natural that endpoint products and services have embraced ransomware protections.
Endpoints include everything from PCs to Macs, smartphones, tablets and even thumb drives. By denying these devices the means to execute, IT can help obviate activation of a malicious payload like ransomware.
“The leading endpoint security tools now have heuristics designed to detect and block ransomware,” Oltsik said, adding that there is also good freeware available. “Cybereason offers a free endpoint software client for Windows that blocks ransomware by default. It’s easy to find and install.”
Pironti agreed, but cautioned that any endpoint security should not be reliant on signature-based technology. Next-gen endpoint security taps into statistical modeling that’s more robust and dynamic, a big plus for any security protections where new threats are constantly emerging.
It’s tedious and time-consuming, but analysts agree that regular, more comprehensive software patching will do more to keep organizations and their data safe than just about any other technical fix out there.
It bears mentioning that patches for servers or routers are a completely different scale than a software update for a laptop or mobile device.
“Regular patching is always a best practice but again, it’s not always easy,” ESG’s Oltsik observed.
End-user organizations often end up performing some sort of triage on patches, since most require some kind of testing before they’re deployed in a live production network. When time is precious, as it always is in most data centers or server rooms, things will inevitably fall through the cracks.
The prioritization testing for patches also means that automation tools are of limited value — and might help justify the business case for moving some services or apps over to the cloud where a third party can be charged with making sure patching is handled regularly. In the meantime, a recommitment to prompt handling of software patches is a smart safeguard against ransomware.
Most organizations already have permissions and access approvals for their most critical IT infrastructure.,but as with patching, they can get sloppy with updates — and too many users and admins have their fingers in multiple pots. This can leave organizations more vulnerable to problems like ransomware.
Theoretically, users and admins only get the permissions they need to perform specific functions. That’s supposed to help with processes like backing up data by making local and offsite backups accessible through just one Active Directory service account. This single account is then is supposed to be used only for backup operations and storage.
These sorts of restrictions are called least-privilege access, according to Oltsik, and are fundamental to most cybersecurity frameworks. Like many security fixes, such restrictions are both effective and hard to execute. Still, privileged access accounts are targeted by hackers and malware writers, since they typically contain the keys to the kingdom.
Oltsik added that most organizations take the additional step of creating strong access to these privileged accounts. Strengthening could take the form of multifactor authentication, for example, or granular access rules sometimes called entitlements. They could also deploy a software-defined perimeter that allows admin access to an application but not a network. In this way, any malware would be limited to a single system/application.
Extra precautions can help protect against ransomware, or at the very least slow its march through the data stacks.
There’s probably never a good time to discover your backup hasn’t been working or isn’t configured properly. But it’s especially bad in the middle of the chaos that accompanies ransomware infection and you’re trying to restore encrypted data or files.
For many organizations, the threat of ransomware is a great incentive to clean up their backup and archiving practices. Properly configured and managed, they can grab older backups to restore what’s lost and get operations moving again.
Central to that strategy is doing some sort of versioned file backup to a device or location that’s protected from the rest of the organization’s network and data, Pironti said.
“Versioning lets you work your way backward till you find a good copy … but it has to be done off-device,” he added, meaning separate from the organization’s live production network.
With versioned backups, every time a file gets saved, it does so without overwriting previous copies. Previously saved copies should help restore captured data in most instances, but some forms of ransomware are especially crafty and might lay dormant or work in stealth mode. It’s a good business justification for investing in storage capacity, especially for critical data or to protect power users like executives or salespeople.
Call it a meta piece of security hygiene: Hardening your IT systems is simply a matter of reducing the number of functions and processes they perform. Statistically, it’s simple math: The less they do, the less exposed they are, and by association, the less exposed the organization is, not to mention all its data.
“System hardening is always a good idea,” said Pironti. “You basically remove all unneeded files and services and surgically allow for permissions and access controls. You tweak permissions to a granular level, allowing no widespread permission for user accounts,” he added.
Smart organizations will also institute both role-based access methods as well as application behavior monitoring, Pironti explained.
Security experts and infected users agree that ransomware is a pain; ransomware also delivers its payload easily with a single entry point. Recovery options are very limited. Improving your protections against ransomware will help with other malware-borne threats as well — it’s just a matter of moving out of fear and into action.
“Adversaries are usually taking advantage of lazy people and lazy environments,” Pironti said.
Call it a meta piece of security hygiene: Hardening your IT systems is simply a matter of reducing the number of functions and processes they perform. Statistically, it’s simple math: The less they do, the less exposed they are, and by association, the less exposed the organization is, not to mention all its data.
“System hardening is always a good idea,” said Pironti. “You basically remove all unneeded files and services and surgically allow for permissions and access controls. You tweak permissions to a granular level, allowing no widespread permission for user accounts,” he added.
Smart organizations will also institute both role-based access methods as well as application behavior monitoring, Pironti explained.
Security experts and infected users agree that ransomware is a pain; ransomware also delivers its payload easily with a single entry point. Recovery options are very limited. Improving your protections against ransomware will help with other malware-borne threats as well — it’s just a matter of moving out of fear and into action.
“Adversaries are usually taking advantage of lazy people and lazy environments,” Pironti said.
By Terry Sweeney
It’s the scourge of organizations and enterprises of all sizes, not just because of the insidious malware it unleashes, but because it costs – often dearly – to get rid of it.
Ransomware gets immediate attention because it auto-encrypts all the data it touches, bringing operations, applications and user activity to a screeching halt. Then comes the demand for money, usually in the form of cryptocurrency like bitcoins, for the decryption key to release the captured data.
The bad news first: End users, IT professionals and channel partners can expect more ransomware variants in 2019. The good news: Basic IT hygiene, regularly performed, goes a long way toward blunting ransomware’s impact if not blocking it altogether. Think of it like dental flossing for vulnerable data.
In just a few years, ransomware has mushroomed into a multibillion-dollar problem, according to security researchers. Ransomware was forecast to cost organizations $8 billion in 2018, a disturbing jump from $5 billion in 2017, according to CyberVentures. The consultancy predicts another increase for 2019 – $11.5 billion – a disturbing trend for IT pros and channel partners.
The IT landscape is littered with ransomware victims. Some pay the ransom, which can range anywhere from tens of thousands to several million dollars. Others, like the City of Atlanta or Colorado’s Department of Transportation, give abductors the middle finger. Rather than pay up, they instead chose to rebuild their systems from scratch, spending millions in the process.
Law enforcement offers mixed messages about whether ransomware victims should pay. Perpetrators rely on end-user desperation, which helps explain why hospital IT systems are a favored target. But ask any IT pro how urgent the atmosphere turns when users at any organization can’t access email, their data or a calendaring app, especially when the frantic call is from the CEO.
Throughout the fourth quarter of 2018, as part of our “In Focus” series, we are featuring a series of galleries designed to help partners grow their businesses in 2019 and beyond. |
Ransomware typically relies on phishing emails that cleverly mimic legitimate requests, plus an inducement to click on a link — “Reset your password…” or “Save 25% off your next purchase,” for example. And that’s when all the training and IT security messaging go out the window with users who are distracted, busy or just plain stressed.
IP Architects’ John Pironti
So as tempting as it is to look to advances like artificial intelligence, machine learning or some cloud-based automation, ransomware remains very much a human problem, according to John Pironti, president of security consultancy IP Architects. Regular training and awareness-building is essential, he said, but so IT is discipline with best practices for enterprise security.
“When people are in pain, this is what happens — they don’t patch; they don’t harden their systems,” Pironti explained. “It’s not sexy stuff, which is why people don’t do it.”
Looking to up your anti-ransomware game?
“It’s a hygiene thing,” Pironti said, admonishing IT shops to re-commit themselves to basic protections to keep their users, data and systems safe from cryptothieves. Our slide show will help you understand more about what you can do to get back to security basics and improve your overall risk profile against ransomware.
You May Also Like