(Originally Published 2nd May 2018)
With SamSam doing the rounds again, specifically targeting organisations particularly in the public sector, what steps can you take to ensure that you’re protected against Ransomware?
The first step is to consider how ransomware attacks might get in to your network. The current strain of SamSam will use vulnerabilities in File Transfer Protocol (FTP) servers, Java-based web servers, Remote Desktop Protocol (RDP) and/or the exploitation of weak passwords to gain entry to your network. Once that’s done, it will be down to your resilience and continuity strategy to cope with the aftermath (you’ve got one of those, right?)
The inclusion of RDP and weak passwords on this list of attack vectors comes as no surprise to us; at the tail end of 2017 we were contacting a slew of businesses and public sector organisations across the region whose network credentials had been compromised in exactly this manner. We’re now delivering free cyber awareness presentations to organisations to help boost personal/business cyber security.
Here’s some tips on what you can do to protect your organisation against ransomware, in no particular order:
- Make sure you have properly configured, up-to-date Anti-Malware software running on your systems. Your product should be able to detect and isolate the latest threats. Set spam filters on your e-mail system to identify and triage out the most dangerous threats that may require greater scrutiny – those carrying attachments such as invoices in PDF, macro-enabled Word documents and so forth. Do your research and find the solution that works for you – remember that “free” is a relative term, and there may be a pay-off in terms of data privacy and/or advertising intrusion.
- Configure your internet facing services accordingly. Ensure they are disabled if unused, or if in use migrate away from default ports where possible. Set appropriate filters on your firewall – does your company expect connections from overseas? Make sure users have appropriate access rights – does Bob , who works at Reception, really need remote access rights? Give users the right permissions – even network admins should have separate restricted accounts for general use e.g. reading e-mail and remote access.
- Make sure that all usernames and passwords on your networked devices and accounts are changed from defaults, and ensure they are strong. Even the most innocuous looking device can be a gateway into your network for the ambitious cyber criminal – don’t let that thermostat in your new company aquarium unlock the door to your database! (True story.)
- Always remember that there is no “perfect solution”. As soon as a defence is developed, cyber criminals will be developing a way round it. It is vital to consider that a cyber attack on your business as a case of “when”, not “if”, and have a strategy in place to deal with it when it happens. This can involve anything from back ups (see below) to staff cyber drills, third-party contact lists (who are we going to call, why, and in what order?) and insurance. Consider the impact of a cyber attack not only on your business but your suppliers, and plan accordingly. It will be better to react according to a defined and tested plan rather than attempting to deal with the situation on the hoof – and don’t forget, you will need to keep a copy of your plan readily available in hard copy – it won’t be much use if it has been encrypted!
- Make sure your data is backed up in a readily recoverable, well organised format. If managing back-ups on site, ensure they have additional physical security (for example fire-proof safe, access controls) – ideally you’ll want an off site solution (either digital or physical) which should be air gapped from your network (ie not routinely connected). Don’t forget, a back up is a failsafe for when things go wrong, rather than a defence.
- Educate your staff – they can be your greatest defence against cyber crime. Whilst the latest technology should protect you against the majority of malware (when used correctly) it’s your staff who will be the only barrier against what gets through. Regular briefings and training on the latest cyber threats should be standard, so they can spot when things seem out of place. Drill your staff with actions to take in the event of a cyber attack (do they know what to do if their computer is locked with ransomware?) Make sure that you have an open, positive reporting culture to ensure that staff are unafraid to come forward if they think they may have clicked on something they shouldn’t have – this will save you valuable time in detecting, isolating and mitigating or removing malware.