Ransomware Top 10

by | Oct 12, 2021 | Security | 0 comments

Here are our Top 10 Tips for preventing Ransomware!

1. End user Cyber Security Education

The human element has consistently proven to be the weakest link in the “chain” of cyber security defenses.

What can you do to educate your employees? 

2. Do NOT expose Remote Desktop Protocol (RDP) to the internet

Directly exposing RDP to the internet is a bad security practice. Simply put, RDP is ripe for credential stuffing and brute-force password attacks. At the beginning of the COVID-19 pandemic, many IT departments rushed to provide remote access utilizing RDP. Due to poor design choices, this led to a significant spike in RDP exposed devices that were later compromised, even in organizations with solid credential management. Note: changing the default port does NOT eliminate this vulnerability. 

What are options to eliminate RDP and still be able support remote workers? 

3. Immutable backup storage – Air-gapped backups

There is an old IT saying, the backup works great – but the restore is tricky. This is truer today than ever before as backups are the first target of ransomware gangs. Ransomware gangs target backups as a priority, quite simply because victims of ransomware are more likely to pay when they do not have a working restore. 

Air-gapped does not mean cloud or on-prem. Air-gapped means offline, separated, or immutable. Independent of how you execute on this, backups must be protected.   

What’s the solution? 

4. Patching

Patches are not limited to monthly Microsoft Windows updates. Software applications, switches, SANs, firewalls, and all components of your environment can be vulnerable when they are not patched in a timely fashion. It is important to remember that the weakest link may be a single device that is not patched or is End of Life (EOL). That particular weakness may become exploited and jeopardize the entire network. Once the threat actors gain access via the weakest link, they will attempt to move laterally through your network and elevate their privileges until they can successfully compromise all your systems. 

5. Perimeter Security (Email Hygiene, NexGen Firewall, packet inspection devices)

In order to communicate, the perimeter of your network must be porous to good traffic and intelligent enough to prevent bad traffic.  This is the role of Web filters, firewalls, email filters, and packet inspection devices to detect known attacks. If they are configured correctly, these can stop an attacker in their tracks. 

6. Robust Endpoint protection  

NexGen Anti-virus and Malware and DNS/firewall protection for remote endpoints.  A new category of endpoint protection is gaining traction called Endpoint Detection and Response (EDR).  In addition to modern malware blocking, it leverages deep inspection for enhanced detection of anomalous activity. 

7. Least privilege  

A payload may not fully execute if a) users have no local Admin access and b) no access to install software. Compromised identical local account credentials greatly increase the risk of lateral movement of a bad actor. The challenges of local privilege for IT can be overcome with “Local Administrator Password Solution” (LAPS) which provides management of the local account within Active Directory. 

8. Secure remote access 

There are numerous secure access VPN devices, gateways, and appliances and, as previously noted, Citrix provides a secure remote access solution.  A solution popularized by the pandemic was the capability to protect remote users for not only their web-browsing activities but also all application interaction with the Internet. Please contact us to discuss a solution that best fits your environment. 

9. Authentication and Identity Management 

Password length, complexity, and Multi Factor Authentication (MFA) should be implemented whenever and wherever possible. Organizations that are utilizing Microsoft cloud-based solutions should consider implementing Azure Active Directory password protection. Azure Active Directory password protection works in the cloud and on-premises to detect and block weak passwords and can be customized to weak terms that are specific to your organization.  

10. Scan it, log it 

In the case of ransomware – if you can scan it, log it. In the event of an actual breach, the log files will be required to determine the point of entry, dwell time, and more.  

When you are ready to discuss what to do about log files or any of the items above, please contact us at info@peters.com.  We are happy to help!