October 7, 2020
10 Steps to Guard Against Ransomware Attacks
As the frequency and sophistication of ransomware attacks continue to escalate, businesses are increasingly at risk of falling victim to these potentially devastating incidents in which multi-million-dollar ransom demands are common. In addition to the financial losses associated with paying a ransom, costs to return systems to normal operation can be significant. If clients are unable to access a company’s systems (e.g., online retail systems), there can also be substantial reputational damage and lost revenue.
Tevora has extensive experience helping clients defend against and respond to ransomware incidents. We have drawn on this experience to develop the following ten steps you can take to fortify your defenses against these insidious attacks.
1. Conduct Security Awareness Training
One of the best ways to defend against ransomware attacks is to train your team on the latest tools and techniques attackers are using to deploy ransomware on their victim’s systems. This training should cover phishing, spear phishing, and other types of social engineering attacks. It should give clear guidance that enables your team to quickly identify these attacks and respond in a way that prevents ransomware from being deployed (e.g., deciding not to click on a link in a phishing email).
In addition to training sessions, we recommend conducting quarterly security awareness exercises for all staff. The exercises should cover phishing emails of varying levels of sophistication, ranging from easy-to-detect to hard-to-detect.
2. Implement a “Zero Trust” Architecture
As companies increasingly move to hybrid environments where applications and data are spread across on-premise and cloud environments, traditional approaches focused on defending the in-house network perimeter are becoming obsolete. We recommend implementing a Zero Trust architecture to strengthen your defenses against ransomware and other external attacks against hybrid environments. With this approach, every device or person accessing a company resource is verified, regardless of whether they are inside or outside the in-house network perimeter. This broad concept includes elements such as:
- Use of multi-factor authentication (MFA) to verify all users accessing company resources.
- Implementing granular network segmentation that only permits users access to network segments needed to perform their work.
- Incorporating a “least privilege” concept that grants tiers of user access rights and privileges so that users are only given the rights and privileges needed to perform their job functions.
3. Stay Current with Patches and Software Updates
Have policies and systems in place to regularly apply patches and updates to antivirus, operating system, and other software to ensure that identified security vulnerabilities are addressed quickly. Keeping up to date with Microsoft Windows patching is especially important. This will help prevent attacks leveraging malware such as EternalBlue, which Ryuk and other frequently-deployed ransomware variants use. It’s also important to stay current with antivirus software to ensure it is aware of the latest Indicators of Compromise (IOCs) used by attackers.
4. Conduct Vulnerability Scans
Run quarterly vulnerability scans of all external or internet-facing endpoints. These automated scans will typically examine network devices such as firewalls, routers, switches, servers, and applications and generate reports identifying potential exposures and vulnerabilities for each endpoint.
5. Perform Penetration Tests
Perform annual penetration tests to simulate an attacker attempting to gain access to your systems. Penetration tests can identify exposures and vulnerabilities in your network that need to be addressed. We recommend running both external and internal penetration tests annually. The external tests will identify ways in which attackers can access your systems from the outside by exploiting vulnerabilities in your network. Internal tests will identify vulnerabilities attackers can exploit once they gain access to your internal network.
6. Review Firewall Rules
Review firewall rules annually or after significant network changes to ensure configurations and rule sets are optimized to address emerging threats, organizational changes, and current business and security needs.
7. Consolidate Logging and Monitoring
Consolidate all monitoring and logging in a central location and implement analytical tools to identify and alert on potential security breach events. Implement security event information monitoring using staff with the skills and abilities needed to quickly decipher security events and respond appropriately.
8. Deploy Jump Boxes
Deploy MFA-enabled system administrator jump boxes, which are only used for domain admin or administrator functions. This will significantly restrict an attacker’s ability to escalate privileges within the environment.
9. Change Passwords and Encryption Keys
Implement policies and systems to ensure passwords and encryption keys are changed frequently to reduce the window of time in which compromised passwords, or encryption keys, can be used by attackers to access your systems.
10. Back Up Frequently
Make sure to back up production systems frequently to ensure you can restore your environment in the event that a ransomware attack encrypts your data and applications, rendering them unusable. Ransomware recovery is crucial in these scenarios. Keep in mind that making a ransomware payment does not guarantee that attackers will decrypt your data and applications, so restoring from backup may be your only avenue of recovery.
If you’d like to learn more about how Tevora can be your trusted security partner, just give us a call at (833) 292-1609, email us at sales@tevora.com or complete the form below