October 28, 2022
Right now, ransomware is among the top business risks.
In the last article, we gave the first five of ten steps we recommend to protect your business from ransomware and cyber attacks—and, where necessary, minimise the damage caused . Today, we’ll cover the remaining five steps.
As mentioned in the last article, our recommendations are based on the CIS Controls, a set of security best practices that help businesses prioritise their efforts to protect against common cyber attacks. We recommend using the CIS Controls as the basis of a cybersecurity program for two simple reasons:
- They are developed and updated based on the input of hundreds of IT and security experts.
- They are highly effective for protecting against today’s most common threats.
Our recommendations are focused on protecting against ransomware attacks. However, in practice, these steps are effective for protecting against all types of cyber attacks.
5 More Steps to Protect Against Ransomware And Cyber Attacks
Step 6: Malware defences
Ransomware trojans are a type of malware, so defences intended to protect against malware are a logical step. Ransomware typically enters a network via vulnerabilities in endpoint devices, email clients, browsers, cloud services, and other assets. In most cases, ransomware infections require a user to take insecure actions, such as opening malicious email attachments, installing software, etc.
Some steps you can take to minimise the risk of ransomware infections include:
- Use anti-malware technologies such as antivirus (AV), Endpoint Detection and Response (EDR), and Endpoint Protection Platforms (EPP), and ensure they are configured for automatic signature updates.
- Ideally, use behaviour-based anti-malware tools. Attackers change their infrastructure and tools often but typically reuse the same attack behaviours repeatedly as they are much harder to change.
- Disable autorun for removable storage devices like USB sticks. If you really want to lock things down, disable removable storage altogether for most (if not all) users.
- Enable anti-exploitation features in your operating system.
Step 7: Data recovery
Data recovery and backups are the most widely recommended defence against ransomware. The reasoning is simple: if critical files and systems have been locked up by a ransomware attack, restoring from backups is generally the fastest and most reliable way to get back up and running.
(Quick point of interest here. In the Colonial Pipeline attack mentioned earlier, the company’s directors decided to pay the ransom in the hopes of restoring operations more quickly. However, the attacker’s decryptor was so slow that the company was ultimately forced to use its backups. This illustrates an important point—paying a ransom is no guarantee you’ll receive an efficient (or even operational) decryptor, so you must have recent backups in place.)
Your business’ backups should be:
- Taken automatically, at least daily.
- Stored off-site.
- Completely segregated from your core network.
- Tested regularly.
You should also have a proven, tested plan in place to quickly restore your systems and files to a working state. Keep in mind that many ransomware variants prevent you from using typical system restore functions, so you may need to reimage affected machines and servers.
Step 8: Secure network design
It’s not always possible to prevent an attacker from entering your network, but you can substantially reduce the damage they can cause. Often, networks are securely configured when designed initially but, over time, become less so.
It’s common for administrators to make exceptions to device configurations, access controls and allowed traffic flows for specific purposes. However, these exceptions are rarely reviewed and often stay in place indefinitely, creating a significant security weakness.
To minimise this risk, essential steps to take include:
- Implement comprehensive network security solutions to protect the integrity, confidentiality and accessibility of your network.
- Keep architecture diagrams and review them regularly.
- Keep track of exceptions and review them regularly. Revert when appropriate.
Step 9: Security awareness training
Users pose a significant security risk. Untrained users will inevitably take insecure actions that compromise your business’ security and are easily tricked by basic social engineering attacks.
In addition to locking down privileges to the bare minimum, users should receive a basic level of training in identifying malicious websites and emails, the types of threats they may face, and the protocols they should follow.
Essential steps include establishing a security awareness training program and keeping it up to date. Some of the most important topics to include are:
- How to recognise social engineering attacks via email, text and voice messages, etc.
- Authentication best practices, e.g., choosing secure and unique passwords, using Single Sign On (SSO) or password managers, etc.
- How to securely handle private data.
- Risks associated with the public Internet and email.
Step 10: Incident response
No matter how strong your protective controls are, you will never be able to prevent 100% of cyber threats—including ransomware. That means there’s a reasonable chance that at some point, a ransomware trojan will fire inside your network, and you’ll need to contain it.
The main purpose of incident response is to quickly find and contain threats before they can spread across your network and cause significant damage or disruption. So-called ‘dwell time’ is a significant component of modern threats, where attackers have a presence inside a target network for days, weeks, or even months before they take malicious action. During this time, attackers expand their presence and privileges and often install additional malicious software to allow themselves to maintain access even if their presence is discovered.
Dwell time is significant for ransomware attacks, as attackers often spend time finding and stealing data before they start encrypting. If your business can identify the attackers’ presence during this time, you may be able to remediate the threat before the attacker can cause any significant harm.
Even if this isn’t possible, fast and effective incident response can minimise the damage, disruption, and cost of cyber attacks that successfully bypass your organisation’s defences. In most cases, you’ll be able to protect business continuity and minimise costs. Building effective, always-on incident response capabilities can be a costly and slow process, so many businesses prefer to outsource this function to a trusted security partner.
We’re Here to Help
Making major decisions about the direction of your cybersecurity program can be daunting. The decisions you make—which tools you purchase, how you design your network, and where you store your backups—can have huge implications for the future of your business.
At CyberOne, we have over 15 years of experience helping UK businesses design, build, and improve cybersecurity programs that support their business objectives. Our consultancy-led approach will ensure you receive guidance and support tailored specifically to your business.
To find out more about our services or arrange a consultation, get in touch today.