Good Practice Suggestions to Protect Your Organization From Ransomware Attacks — Part 1

Ransomware is an online attack perpetrated by cybercriminals who demand ransom to release hold on encrypted or stolen data. The most effective defense against ransomware includes “multifactor authentication”, “frequent security patches” and “Zero Trust principles” across network architecture.

As every person has interested with information security realize that the number of ransomware attacks has been a rapid increase. The main reason is that ransomware has been a very easy attack due to unwitting employees who may get tricked by an email to launch malware on devices attached to company networks. For that reason; employee education and well-defined process should be main elements to protect your organizations. In this paper, without giving any information about ransomware attacks, we will only focus on controls and best practices organizations should dizayn or develop to protect from this type of attack.

Photo by Alex Knight on Unsplash

Here are the good practice suggestions and controls:

1. Information security training and information security awareness is provided to all personnel in understanding their security responsibilities. Training should emphasize especially identifying phishing, business email compromise fraud, malicious spam and ransomware and malware incidents.
2. End users should know how to identify and where to report anomalies — Quick recognition and reporting of malicious activity can reduce the overall impact of an attack and ultimately save both time and expenses. For example; if an employee receives an e-mail containing ransomware, the organization should quickly search to identify other emails in additional employee mailboxes. These emails should be immediately extracted and purged to prevent them from being opened.
3. Incident response process should be designed with “preparation”, “detection and analysis”, “containment”, “eradication and recovery”, “post-incident activities” steps.
4. Management should be aware that how they will manage communication with the all parties (customers, stakeholders, regulatory authorities etc.) when the ransomware events are occurred.
5. There should be a team to identify and detect anomalies like attempt to uninstall known antivirus programs or other security applications. Also, critical commands like “clear event logs”, “delete shadow copies”, “turn off services” must be monitored when the alarm is triggered.
6. There should be well-defined disaster recovery plans which take into account the potentially disruptive impact to business continuity and critical operations.
7. Malicious code is hidden inside common work tools, such as Office suite documents or spreadsheets. Disabling unnecessary macros can help establish an additional layer of defense.
8. Penetration tests should be realized periodically to prevent entry point to the organization. Misconfigurations, default passwords, single-factor authentication may allow an attacker to find and use it for attacks. Therefore, organizations must continually work to find and fix exploitable vulnerabilities that impact their most important applications, networks, hardware and people.
9. Attachments getting through e-mail should be checked whether they are risky or not. For example, you can think to configure the email server to strip any executable file or to allow only trusted (signed) macros. You can also desing stripping .JS extensions before allowing delivery to the user’s mailbox.
10. Antivirus solutions should be updated with the latest virus definitions to optimize their effectiveness. In addition; different antivirus products can be implemented for desktops, servers and email gateway to decrease threats that may not be detected by one antivirus solution but may be detected by another. Continuosly monitor is also important to counter an active attack.
11. Malware commonly uses ‘Temp’ folders as the initial execution point. Therefore, you should disable executables from not only temporary folders, but also from other nonstandard folders such as %AppData% or %LocalAppData%, which are used by many malware and ransomware families.
12. Vulnerability management should be designed to identify vulnerabilities that are actively being weaponized and ranking the most severe vulnerabilities for priority remediation. In addition to this, patch management policy should be managed effectively especially with browser vulnerabilities that are used by a large population of employees.
13. Organizations should take an action outright blocking specified malicious Internet Protocols (Ips) or domains at the egress gateway or should be implementing a DNS sinkhole to prevent attempting to go blocked sites. In addition to this, reputation-based web filtering solutions should be applied to understand rapidly bad destinations.
14. All end-users and admins should be authorized with the minimum levels of access or permissions needed to perform their jobs.
15. End-of-life products should not be included your asset inventory, that is; they must be removed immediately [For example; Adobe Flash should be disabled to prevent attack vector.].

Photo by Ave Calvar on Unsplash

Preventing ransomware attacks may not be possible nowadays, but many controls can be designed to reduce risks and to better detect and contain an attack. By performing controls, organizations can protect themselves and their customers from potential threats. Therefore, i will continue to write security suggestions in my second article on the same subject.

See you in the next article:)

Best regards,

Meltem Yapar

Yazılım Emanet Sözleşmesi (Escrow) İle Kaynak Kodlar Gerçekten Kullanılabilir Durumda mı?

Sıkılaştırma Tedbirleri Kapsamında Makro Güvenliği Nasıl Sağlanır?