As discussed in our previous article, small steps such as backing up files, using antivirus software, installing updates and always being security conscious can minimize the risks of users being infected with ransomware. In this week's article, we provide security tips for business that can be used to minimize the threat of ransomware attacks.
How to protect a business if you are a CISO-CEO
Businesses cannot solely rely on their individual staff to do the right thing when it comes to ransomware protection. CEOs and CISOs need to implement checks and balances to ensure that their systems are less vulnerable to attacks.
Backup data regularly
Having well maintained backups is vital in allowing your business to get back on track, whether it be from a ransomware attack, or a hardware failure. Critical data should be backed up on a regular basis, and those backups should be encrypted and stored off-site, or at least offline. NEVER store backups on the main network. This will leave them vulnerable to attack. Ransomware travels through network drives, encrypting everything in its path, so if your backups are stored on the same network as your data, they will be rendered useless if the ransomware reaches them.
Keep up-to-date with system patches
Always install the latest software patches and ensure antivirus signatures are up to date. The vulnerabilities exploited in the Petya variant attack, had already been covered by Microsoft's patch MS 17-010 , first released in March 2017. Not all businesses had installed that critical patch, as a result the Petya malware was able to spread using the Eternal Blue and Eternal Romance vulnerabilities. Regular patching significantly diminishes the likelihood of an attacker getting into your network.
Segment networks and limit account privileges
Don't store all business data on one shared network drive, which every staff member can access. Identify your critical data, and isolate it from the rest of the network. You should also limit how many users have administrative privileges on their account. By segregating duties between user and administrative accounts, you ensure that no single account (including Domain Admin) can execute commands across all systems on the network. This limits the amount of damage that can be caused if a hacker gets in.
Know your vulnerabilities
Conduct regular risk assessments to understand the methods hackers are using to infiltrate security systems. This will help to identify weaknesses in your own security that could be exploited. Penetration testing, which actively scans the system or network for exploitable vulnerabilities which might allow hackers to gain remote access to your systems, needs to be conducted regularly (monthly). If any known vulnerabilities are identified in your applications or systems, you then have the ability to allocate resources to fix those issues and patch the relevant systems promptly.
Develop Business Continuity / Data Recovery Plans
Whilst security techniques are effective, these measures will not prevent every type of attack, so plans need to be put in place to efficiently deal with the aftermath.
In the event of a ransomware attack, critical servers and individual user systems need to be restored quickly from backups. Scheduled backups should match the timeframe of data your company is willing to lose in the event of a cyber-attack. Formal procedures need to be in place, so that your business can restore services to both employees and customers.
Recovering from a Ransomware Attack
In the event that your company is hacked with ransomware, there are some crucial steps you need to take to minimise the damage:
- Disconnect any infected machines from the network, so the ransomware cannot continue to replicate and spread to other machines;
- Investigate whether other organisations have been hit by similar malware, and find out if they identified any tools to decrypt your files.
Your Biggest Vulnerability: The End User
As the saying goes, "You are only as strong as your weakest link.": Your users.
The most common ransomware delivery method is through malicious emails. Hackers craft clever emails to trick users into carrying out actions that will allow them to infiltrate your systems from within your network.
Phishing and malware training is critical. Train your staff to be suspicious of everything that hits their inbox. Teach them not to open email attachments, and not to click hyperlinks in emails that they're not expecting. If the sender is a stranger, delete the email immediately. If you do know the sender, but the message is unexpected or suspicious, train staff to make a phone call or send a text to verify that the email is legitimate. If it’s not legitimate, delete it immediately.
Some organisations are going as far as to label email as "external". This can assist employees with determining the authenticity of an email supposedly sent from someone within the company. If an email is sent from outside the network, the user will be notified that it’s from an outside party.
Security awareness training is the key, offering practical tips for staff not only on how to detect phishing emails, protect data and create strong passwords, but also on the use of social media and internet safely.
Some security teams regularly send out mock phishing emails to their staff to determine their predisposition to fall for phishing techniques. They can also provide an easy to use mechanism for staff to report actual or suspected emails to the security team and track the results.
Stay tuned to this blog channel for an exciting announcement in the coming weeks. FraudWatch International will be releasing a new product to help your employees stay on top of the ever-changing cyber-security game!