Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we continue the series of TomCasts on Ransomware. This particular TomCast is going to focus on doing your part to prevent a Ransomware attack or infection. There are various aspects of a network environment that, when broken down, account for around ten specific areas in which to focus your efforts on the prevention of Ransomware. If one of these areas does not necessarily apply, then move on to the next; protecting an organizations network versus protecting a personal home network can have some differences, but also some commonalities.
For reference, I am pulling a lot of this information from a document located online; open a browser and search for “preparing for a cyber incident”, then in the results look for the United States Secret Service Cybercrime Investigations site. There are several useful resources out there, not to mention the playbook battle cards mentioned in the previous TomCast on the GuardSight GitHub page.
Ok, enough background resource info, let’s dive in. First, we need to address vulnerability management and patch management. Are you keeping your systems as up-to-date as possible? For a home user on a personal home network, that answer should be a resounding yes. If not, change your priorities a bit with regards to your technological assets. Keeping them up-to-date addresses security vulnerabilities and helps to prevent exploitation of those vulnerabilities. If you don’t know how to update your particular system or app, ask someone or search the web. There are lots of resources out there to guide you.
If you are considering the organization you work for and you don’t know the answer, ask. Find out if your organization has a routine patch management program or practice. If they do not, this is something that needs to be addressed right away. As stated earlier, vendors release patches for various vulnerabilities discovered in their products either by researchers or threat actors, and those patches or upgrades prevent threat actors from exploiting these vulnerabilities. Many vendors release patches on a scheduled cadence.
Second, address the user permissions in your environment. Obviously if this is your personal system and home network you more than likely have permissions on the system to do anything you need to do, but think about software or apps you install on your laptop, desktop, tablet, or phone. Do you know where that software came from? Do you have to give that app administrative permissions on your phone or tablet? If so, do you know why you have to and what the app is going to be accessing? These and other questions should be asked before allowing elevated permissions on your system.
As a network or system administrator, your general user base needs to adhere to the principle of least privilege. Only the permissions required to perform the responsibilities of the position should be granted. This is also why the amount of administrative accounts should be kept to a minimum, if at all possible.
Third, utilize some form of malware scanner on email. Organizational-level solutions are much more robust due to the sheer amounts of email that are processed hourly/daily/weekly and monthly. For home users your endpoint security solution (or, to simplify, your anti-virus program or application) should have some sort of scanner that scans incoming and outgoing email to ensure no malicious content is present. Why would this be important? One main path-of-travel for Ransomware infections is phishing. If your scanner is configured to scan for malicious links and malicious content, it will possibly remove the threat before you even see it.
Fourth, configure your firewall settings to block malicious IP addresses. With home systems and personal networks this can be rather in-depth since personal firewalls are not as robust as commercial or organizational-level firewalls, but if you utilize a home router that has a built-in firewall, check the security settings and see if you are able to block malicious IP addresses. Organizational network support personnel should also be working with the firewalls to configure them the same way. This can prevent a lot of malicious traffic from ever reaching your network.
Fifth, consider utilizing application whitelisting. Application whitelisting is a list of applications or programs that are permitted to run on a particular host or within a particular network. If the application or program is not in that list, access is denied. This is more of an organizational-level configuration, but some home or personal network equipment has security settings that allow this type of configuration.
Sixth, and one of the most important pieces of any part of security, become cyber-aware. Train yourself or make sure your organization is trained on cybersecurity awareness. Many different threats out there can be prevented through simple awareness; human error still accounts for the bulk of all breaches, compromises, and infections.
Seventh, implement security controls that prevent the execution of programs or code from common ransomware locations. This is more of an organizational security measure, but again, if you are security aware and understand how to implement some of these security options, they are possible on a home or personal network.
Eighth, if you do not use the Remote Desktop Protocol on a routine basis (or at all) consider disabling it completely. Now, in these days of the pandemic where many organizations are in a full telework posture, many utilize the Remote Desktop Protocol on a daily basis, so disabling it could prevent work from being accomplished. It does not hurt, however, to check with your organization to see if alternate more secure methods could be employed (like VPN). From a home user or personal network standpoint, unless you have a home lab that requires the Remote Desktop Protocol to be enabled, disable it.
Ninth, and this is more organizational-level as well, consider the separation and virtualization of your organizational data, systems, and networks.
Tenth, look at your backup strategy and evaluate it to ensure it is in place and tested frequently. Cold storage backups (backups that are offline) need to be restored on a routine basis to ensure the recovery processes and procedures function properly. Backups need to be taken routinely. Typically, in a malware incident, one of the later steps is to restore from backup. If the backups have not been tested for validity and functionality, what do you do if the backups aren’t functional? You could be looking at massive data loss as well as revenue loss.
Ok, that was a high-level overview of prevention steps you or your organization can take to prevent a Ransomware attack or infection. These steps don’t guarantee you won’t be attacked or infected, but you will be in a much better position to defend your network and assets against those attacks and infections if you follow these steps. Stay tuned, the next two TomCasts will be in collaboration with GuardSight’s own Director of Cybersecurity and Incident Response, Justin Fischer, where we will be diving a bit more in-depth into Ransomware from a technical perspective.
We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!