Incidents of ransomware have recently increased, particularly toward healthcare organizations. Rather than paying a ransom, it may be more cost effective to take preventative steps to prevent or reduce the possibility of an attack. Security expert Mark Dill, principal consultant of tw-Security and former CISO at Cleveland Clinic, offers steps organizations should consider taking, using a “People, Process, and Technology” approach.
1. Educate the workforce.
People are the root cause for ransomware, so start there. Educate the workforce and let them know that there are real consequences if they carelessly click on a link imbedded in an email or on a website while surfing the Internet. Consider tools that test the workforce’s knowledge by sending fake phishing emails. If a worker clicks on the fake link or attachment, their web session is routed to a tutorial on how this was a phishing attack and phishing attacks can lead to ransomware. Record the CEO delivering the warning message to have an even greater impact!
2. Ban all personal webmail and surfing on corporate devices.
Most workers have their own mobile device (smartphone or tablet) that they bring to work. Make them use those devices connected through a “guest” wireless network in order to isolate and protect the internal network. However, make sure you sell this idea to executive management first. Otherwise, depending upon an organization’s culture, there could be some backlash.
3. Implement a data backup plan with a longer retention schedule.
Often the ransom request is sent several days after the files have become encrypted. The longer the timespan between the last full backup copy and the ransom demand, the greater the odds are that the organization cannot fully recovery from backups alone, thus being forced to pay the ransom. Retain at least two months’ worth of full disk backups. Require the workforce to store all work-related data on a network drive rather than on a local hard drive. It is critical to remind workers because many are using personally-owned devices to do work.
4. Create incident response procedures.
It is no longer a matter of “if” but “when” a cyber-attack, which could include ransomware, may happen. Plan ahead and be prepared by developing incident response procedures and specific playbooks to address the most common types of attacks. The first 48 hours are critical. In panic situations, workers forget key steps that could hamper an investigation, legal action, and even recovery operations. Once developed, conduct a tabletop exercise or drill. Update the procedures and playbooks once the exercise is completed to address any gaps or findings.
5. Filter Internet traffic more closely.
Does your organization really need to allow external traffic to flow to/from countries such as North Korea, Iran, and China? Consider restricting inbound and outbound traffic by creating a blacklist/whitelist. Quarantine or block inbound email traffic that comes from newly created domains. Typically, attackers are using domains that are less than 72 hours old to launch their phishing emails – the primary source for ransomware and other malware. Also, prevent Cyrptolocker (Crypto) variants from launching on Windows devices.
6. Review access rights on network drives.
“Least privilege” is a longstanding information security principle. If a worker only needs to read files, they should not have access rights (privileges) that would allow them to 'write' data to the drive. Ransomware needs write access in order to encrypt the data.
7. Consider next-generation anti-malware tools that use advanced math to predict malware.
Update end-point antivirus/malware tools. The legacy suites that rely on pattern file updates are struggling to keep up with recent or zero day threats such as ransomware. Next-generation antivirus tools rely on sophisticated mathematical engines to detect and block malware in application or executable code.
8. Evaluate advanced persistent threat tools.
Implement Advanced Persistent Threat (APT) tools and processes. Many Crypto variants start with an initial infection (before encryption) that requires them to reach out to a Command and Control server on the Internet to get the encryption key. APT tools can see and block this communication, and prevent the infection and harm.
9. Implement intrusion prevention systems.
Improve Intrusion Prevention Systems (IPS). Like with APT tools, some IPS vendors’ products can also block the Computer Numerical Control system communication and prevent the infection and harm. Check with your IPS or firewall vendor to see if you already own this feature but may not be using it.
10. Patch vulnerable versions of PDF viewers and Flash players.
Best practices strongly recommend maintaining software patches for operating systems and applications. Knowing that patching requires testing, the biggest return on the time spent in patching is on PDF views and Flash players, followed by web browser patches. These three software tools are the most common attack vectors for ransomware.