Good Practice Suggestions to Protect Your Organization From Ransomware Attacks — Part 2

It is very valuable to understand exactly which controls should be implemented and how organizations can protect themselves from ransomware. Because the defined processes and controls are the only way to manage ransomware events.

Photo by Maxim Hopman on Unsplash

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.

Here, we have focused on 15 important controls and best practices organizations should design or develop to protect from this type of attack. In this article, we will continue to concentrate on security controls generally suggested by IBM, NIST, and ISACA institutions. Here are the good practice suggestions and controls:

• Audit and event log records should be determined, documented, and implemented to support forensics response. Most importantly, there should be also a process to decide which information security incidents are required a forensics examination.
• There should be centralized log management using a security information and event management tool. This enables an organization to correlate logs from both networks and host security devices.
• There should be incident response plans to reduce the damage to the organization and the effort needed to restore access to data, systems, and business operations. The plan should be documented clearly and includes all roles and responsibilities for preventing ransomware attacks.
• Numerous spam campaigns are managed via .zip file attachments and such .zip files typically contain a JScript (.js/.jse) file that, if clicked, will be run via Windows Scripting Host (WSH). Therefore; WSH should be disabled if it is not required by users to prevent some of the malicious scripting possibilities.

• Work computers have to only be used for business needs. Personal websites or social media platforms should be forbidden from work computers.
• Information technology and information security departments should practice different scenarios like users receiving a ransom message on their computer or user attempting to access a local file and finding it’s encrypted or massive file manipulation alerts.
• Access to untrusted web resources should be blocked. Insecure systems and protocols should be isolated, disabled and retired. You should only use products and services that block access to the server name, IP addresses, ports, and protocols that are known to be malicious or behave as a malicious system activity.
• Block also all non-SSL traffic that attempts to use port 443. Organizations can increase their defense by using a proxy device to provide visibility into SSL traffic over port 443 and by blocking all non-SSL traffic attempting to use the port.
• Only authorized application should be installed and executed via Microsoft Software Restriction Policy or AppLocker.
• Vulnerable systems should not be part of asset inventory. Operating systems, softwares, and firmwares on devices should be patched as vulnerabilities are discovered. If they cannot be patched, compensating controls should be designed in order to minimize risk.
• Especially, internet-facing servers and clients and office applications should be hardened by applying security baseline.
• Network segmenting is already a common practice for most businesses and organizations to prevent free lateral access. Thefore, VLAN segmentation, firewall segmentation and least privilige segmentations should be design to manage risks.

Photo by Ramón Salinero on Unsplash

• Personally owned devices without prior authorizations shoul not be connected to work networks.
• Organizations generally are not fully considering the security configurations of cloud platforms due to the speed of deployments. Security settings in association with cloud environments should be enabled completely and carefully.
• The most important defense for any organization against ransomware is a robust system of backups. Moreover, restore tests should be applied periodically to verify its integrity. You must also ensure that backups are not connected to the computers and networks they are backing up. For example, physically store them offline.
• There should be controls for use of RDP; including auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts.
• User accounts should be reviewed and audited periodically, such as; users who have permission to install and run software applications, users who have local administration, users who have root access, users who can run cmd and powershell etc.
• Remote access should be managed. Using multi-factor authentication is an easy way to reduce likelihood of account compromise and to protect against malicious code insertion of data exfiltration. Therefore, MFA is implemented for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Integrity checking mechanism should used to verify software, firmware and information integrity. Also, configuration change control process should be implemented to discourage replacement of code with product that contain malware in regarding to configuration baseline standard. For example; ports and protocols that are not being used for a business purpose should be disabled.
• Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification should be implemented to lower the chance of spoofed or modified emails from valid domains.
• Third parties and managed service providers (MSPs) should be evaluated to ensure that they are implementing security practices at least your organizations have.

Photo by SUNBEAM PHOTOGRAPHY on Unsplash

As you know that preventing ransomware attacks may not be possible nowadays, but many controls can be designed to reduce risks and to better detect and contain an attack. If your security maturity level is high, you can easily realize that the controls you need to establish against ransomware attacks will not change so much.

If not, these are so basic preventative controls that your organization can take now to protect againts ransomware threats. Therefore, start by reviewing the security controls implementing through your company and design any missing controls as soon as possible.

If you need any help to design processes and controls, please don’t hesitate to write me:) See you in the next article:)

Best regards,

Meltem Yapar

https://www.linkedin.com/in/meltem-yapar-67b9b69b/

More…

Good Practice Suggestions to Protect Your Organization From Ransomware Attacks — Part 1

Writing Code with Github Copilot and ChatGPT Together — I

Cybersecurity in the Age of Remote Work: Protecting Your Business and Employees