cyber security
Google Cloud
Google SecOps
How to prevent or contain ransomware
Admin
|
Post courtesy of Tom Allen, Senior Security Consultant for Foresite.
Recently there have been some high profile cases of ransomware in the news. Obviously the big question is “How can I prevent ransomware”? The answer reads like a full cybersecurity framework, which highlights why it is critical to have good governance in place, and audit it occasionally.
Spam Filtering: Make sure you have a good spam filter, make sure you have Sender Policy Framework (SPF) records setup correctly to prevent spoofing of your domain.
Security Awareness: Teach your users to read the sender closely on emails looking for small changes for example “joe@mycompany.co” rather than “Joe@mycompany.com”. That missing “m” at the end of the email address could be a sign of spoofing that can trick users into following instructions provided by the hackers that seem to come from a coworker, vendor, or customer.
Disable Microsoft Word Macros: Many people do not even use Word Macros anymore. One large client recently disabled them through group policy and did not even get a single complaint.
Use Web Content Filtering: Restrict users from going to sites where ‘malvertising’ is prevalent. Many are listed on sites like www.malwaredomainlist.com.
Backups: Malware is inevitable at some point. Make sure you have good backups, and you have tested restoration.
Even if all these methods are defeated, the most critical thing organizations can do is minimize the damage. If proper internal controls are in place, a single user being infected will have a very minor impact. If not, your entire network can be taken down and it can cost you plenty in loss of productivity and remediation efforts!
To minimize exposure:
- For starters make sure your users are not local administrators.
- Make sure your domain administrators do not use domain administrator accounts as their primary logon.
- Make sure that the principle of least privilege is implemented.
- Protect your service accounts by only giving them the rights they need to perform the service required.
- Classify your data and use higher security levels based on data sensitivity.
- Do not use ‘flat’ networks, keep sensitive data segregated in its own VLAN and use ACLs to only allow users, services, and protocols required to access it.
- Perform bi-annual maintenance to make sure all these protections in place continue to be accurate and implemented.
If you follow these practices then even if you do get a ransomware infection it should do very limited damage and be recoverable without paying the ransom.
