[BreachExchange] Nine Ways to Protect an Enterprise Against Ransomware
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Dec 29 18:57:37 EST 2016
http://www.eweek.com/security/nine-ways-to-protect-an-
enterprise-against-ransomware.html
Ransomware infiltrations in enterprises increased by 35 percent in 2016,
according to consensus of security industry analysts and vendors, including
Symantec. But even more alarming is the recent rise in its sophistication
and distribution.
Ransomware is a type of malware that prevents or limits users from
accessing their system, either by locking the system's screen or by locking
the users' files unless a ransom is paid. It can bring your business to a
halt and cause significant financial damage.
Unlike the stealthier advanced attacks that can stay undetected on
corporate network for months, the impact of ransomware is immediate and
intrusive. Cyber attackers don't need a lot of money, resources or
technical sophistication to use ransomware. Businesses are increasingly
concerned about monetary damage, business downtime and other effects of
ransomware.
Here are nine important steps, provided as industry information by
enterprise security provider Landesk, that an enterprise should take to
protect against a malware attack.
1. Patch the Critical Operating Systems and Applications
For most organizations, patching should be the first or second line of
defense against any attack, including ransomware.
You can prevent many such attacks by ensuring that the OS and required
third-party applications on each client system are up to date. You should
also make a special effort to ensure that all critical patches and updates
for applications such as Adobe Flash, Java, Web browsers, and Microsoft
Office are kept current. In addition, you should prioritize patch and
update deployments based on business needs and policies—and you should
execute those deployments in ways that don't disrupt user or business
operations.
Many organizations fear that comprehensive, timely, and consistent patching
is too complex to execute and maintain, or that it may break critical
business applications. However, using the latest patch management tools to
scan for missing patches and deploy them to workstations or servers is a
straightforward task—even in the most complicated environments.
2. Ensure that Antivirus Software is Up to Date and that Regular Scans Are
Scheduled
If patching is your first line of defense, then antivirus (AV) should be
the next one. Security researchers know by now that most ransomware attacks
cannot be stopped by traditional, signature-based AV solutions. However,
you don't want to fall victim to malware threats that are already
identified and tagged by your AV vendor.
Ensuring that your virus definition database is always up to date on all
your workstations is the most important element of an effective AV
strategy. Good security management software can automate this process. Good
solutions can distribute the latest virus definition file to all your
endpoints in any size of environment very efficiently bandwidth-wise.
3. Manage Carefully the Use of Privileged Accounts
Minimizing privileges is an important tactic to protect against many types
of malware, including ransomware. For example, a recently discovered
ransomware attack called "Petya" requires administrator privileges to run
and will do nothing if the user doesn't grant those privileges.
Removing administrator rights is easy, but balancing privileged access,
user productivity and enterprise security isn't. Thus the need for
privilege management solutions.
However, one thing to consider when protecting against ransomware is that
many ransomware attacks are simply executables that users are tricked into
running. Once executed, those ransomware instances run inside the current
user space and don't require any administrator privileges to do their
damage. For example, an updated version of the recent Petya ransomware
attack has a fallback mechanism that allows it to encrypt files without the
need for administrator privileges.
4. Implement Access Control that Focuses on the Data
An effective access control solution can help you protect against
ransomware. However, if the solution focuses primarily or exclusively on
user-access rights, it will likely prove less than effective.
Access control can be highly beneficial for protecting files located in
shared drives. That's because some users may always have legitimate rights
to access and modify at least some files on every shared drive. After all,
most of those files are document files created by legitimate users. This
means that a ransomware attack that successfully infects the system of a
user with legitimate access rights can encrypt and hold hostage all of the
files on all connected, shared drives and folders.
Compared to traditional access control, the new-gen method of data
protection relies on understanding the behavior of ransomware and does not
require creation and management of user-specific (and ever-changing) rules.
It is therefore also easier to implement and maintain than access control
based on user-rights management.
5. Define, Implement and Enforce Software Rules
Good enterprise software also makes it easy to define, implement and
enforce rules that govern how other software behaves. Rules can restrict
the ability of designated software to execute, or to create, modify, or
read any file, or files located in specific folders—including the temporary
folders used by browsers and other programs.
Those rules can be applied globally or to specific users or groups.
However, before implementing such rules, it is important to consider the
user experience degradation such rules can introduce. For example, when
installing new or updated software, legitimate users are sometimes required
to decompress ("unzip") or execute files directly from their browsers.
Users may also rely upon the ability to create or invoke macros to do their
jobs.
Software restriction rules may block these otherwise legitimate activities.
6. Disable Macros from Microsoft Office Files
Disabling macros from Office files will block many types of malware,
including ransomware. For example, Locky is a relatively new
crypto-ransomware that spreads primarily via spam with attachments. It
entices users to enable macros in Word documents that download the malware
onto machines.
7. Implement Applications Whitelisting
This solution effectively eliminates the ability of any ransomware to run,
since no ransomware is trusted. It ensures that only known applications
designated as trusted can run on any endpoint. The biggest challenges to
the success of whitelisting are creating the initial list of trusted
applications, and keeping that list accurate, complete, and current.
8. Restrict Users to Virtualized or Containerized Environments
In most cases, ransomware is distributed as an email attachment.
Restricting users to virtualized or containerized environments will ensure
that any ransomware that gains access to a user's system will do no harm to
the user's primary work environment.
9. Back Up Critical Files Frequently
The FBI paper recommends using timely, frequent backups of critical files
as a business continuity consideration. If done right, backups will save
the day if you're attacked by ransomware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161229/3972298f/attachment.html>
More information about the BreachExchange
mailing list