October 21, 2022
The threat of ransomware attacks has businesses running scared—desperately looking for solutions to keep themselves, their customers, and their data safe.
Unfortunately, while many businesses spend significantly on security controls, their efforts often aren’t well-aimed. This leads to inefficient spending of security resources which fails to meaningfully reduce cyber risk and gives businesses a false sense of security.
In this week’s article we’ll provide you with the first five actionable steps your business can take to protect against ransomware attacks. Look out next week’s article for the remaining five steps, which will help you complete your preparations and—where necessary—quickly recover from a ransomware infection.
Proven Steps to Prevent Ransomware and Cyber Attacks
The first thing to understand is that protecting against ransomware doesn’t require a unique approach. In fact, it requires precisely the same approach as reducing cyber risk in general.
Everything we’ll cover below—including specific anti-malware defences—is necessary even if ransomware suddenly becomes extinct (unlikely, but we can hope).
The steps below lean heavily on the CIS Controls, a set of 18 security best practices designed to help businesses prioritise their efforts to protect against common cyber attacks. We’ve used the CIS Controls as the basis of our recommendations for two reasons:
- They are based on input from hundreds of IT and security experts.
- They are proven to protect against the most common current threats.
When the original version of the Controls was released in 2009, several studies found that implementing just the first five controls (there were 20 in total at the time) was enough to protect against 85% of cyber attacks.
The objective here is to demonstrate how simple (albeit not necessarily easy) ransomware protection can be. If you’re inspired to rethink your approach to cybersecurity, or you’re starting from scratch, you should consider modelling the CIS Controls and using the ordered approach they recommend.
The First 5 Steps
Step 1: Asset management
Recording, verifying, and maintaining a list of all hardware and software assets within a business is critical. So critical that this step has been a foundational component of the IT Infrastructure Library (ITIL) framework since the 1980s. The reasoning is simple—you can only monitor and protect assets you are aware of.
The CIS Controls list the ‘Inventory and Control’ of hardware and software assets as two separate controls, but we’ve combined them here for simplicity.
The risk of unknown assets isn’t hard to understand. It doesn’t matter how well the rest of your network is secured—if there’s a forgotten server somewhere running an outdated and vulnerable version of Red Hat or Apache, that’s all an attacker needs to gain a foothold in your network. It doesn’t have to be a server, either. It could be any Internet-facing hardware or software asset that has known vulnerabilities.
Basic steps to take include:
- Establish and maintain an asset inventory—you can call this a CMDB, asset register, or something else entirely. It doesn’t matter. Just make sure you keep it updated.
- Use active and passive discovery tools and DHCP logging to identify unknown assets.
- Address (accept or remove) unknown assets as soon as possible after discovery.
Step 2: Secure configuration
When assets are sold—everything from operating systems to servers to popular software applications—their default configurations are typically set for convenience rather than security. Basic configuration settings like open ports, default credentials, DNS settings, and excessive account privileges can make it easy for an attacker to access a network or escalate privileges once inside.
To prevent this, you should set and maintain secure configuration settings for all hardware and software assets within your network. The simplest approach is to ensure assets are configured in line with an established best practice framework such as the CIS Benchmarks, DISA STIGs, or NIST National Checklist Program.
Step 3: Account and access management
Misuse of legitimate credentials and account access is much easier for an attacker than ‘hacking’. As a result, your biggest threat is often the people you work with… but it’s rarely because they are malicious. In most cases, people are simply careless or uneducated on security best practices. This leaves them vulnerable to social engineering and basic password reuse attacks.
Many high-profile breaches have been traced back to simple password reuse attacks—including the massively disruptive ransomware attack against Colonial Pipeline earlier this year.
You should rigorously control user accounts and access levels to minimise these risks, keeping them to the minimum level possible. This includes steps such as:
- Centralise account management and access controls and have rigorous protocols for granting, monitoring, and revoking access.
- Adopt an identity and access management (IAM) solution to manage employee and customer access wherever they may be.
- Minimise the use of administrator privileges. Even network admins don’t need admin rights all the time, so they should use a separate account with lower privileges most of the time and only use accounts with administrator privileges when necessary.
- Keep an inventory of active accounts and privileges, and routinely disable privileges and accounts that are no longer needed.
- Use Single Sign On (SSO) and Multi-Factor Authentication (MFA) if possible.
Step 4: Continuous vulnerability management
Known vulnerabilities are a frequent target for hackers and are often built into exploit kits so that even hackers with minimal technical abilities can exploit them. Exploit kits are sold via the dark web and even social media—often at low cost—making known vulnerabilities one of the main sources of cyber risk for most businesses.
Recent research found that the five most common vulnerabilities exploited in ransomware attacks have been publicly known for between two and ten years. These attacks are still effective because many businesses haven’t applied security updates and patches provided by vendors like Oracle, Adobe, and Microsoft.
To counteract these risks, you should continuously assess and fix vulnerabilities within your environment to minimise the window of opportunity for hackers. To do this, you need effective, established processes (including appropriate tools) for scanning, prioritisation, and patching/remediation.
Note that you should prioritise vulnerabilities based on their impact to your organisation. CVSS scores can be helpful, but you shouldn’t follow them blindly as they don’t reflect the relative importance of different assets within your environment. For example, a vulnerability with a Critical CVSS score may be of little concern if it only affects a single non-business critical asset.
Step 5: Email and web browser protection
Email clients and web browsers are common entry points for attackers because they are two of the main areas where they can interact directly with users.
Attackers use content that entices users to take compromising actions, such as disclosing login credentials, providing sensitive data, or changing settings that allow the attacker to gain access to the network. Common threats include browser exploits, malicious downloads, malicious URLs, social engineering (e.g., via phishing emails), etc.
To fight back, you should aim to improve your ability to detect and protect against email and web-based threats. Some of the most important steps to take include:
- Only use fully supported browsers and email clients.
- Use DNS filtering to block access to websites that are known to be malicious.
- Restrict or block the use of browser and email client extensions.
- Use DMARC to minimise the risk of spoofed emails.
- Block unnecessary file types sent by email, e.g., .exe files. You can also consider going further by blocking users from running file types associated with installing software (e.g., .iso and .exe for Windows devices, .dmg for Mac devices, .apk files for Android devices, etc.)
- Adopt email and web security solutions to help protect users against threats even when they are working remotely.
We’re Here to Help
Whether you’re starting from scratch or building on an existing cybersecurity program, making big decisions about how to protect your business can be daunting.
At CyberOne, we have over 15 years of experience helping UK businesses build and enhance their cybersecurity programs. Our consultancy-led approach ensures every customer receives advice and support tailored to their specific business needs and environment.
If you feel your business would benefit from expert cybersecurity guidance and support, our technical experts are on hand to help you:
- Design, build and refine your cybersecurity program.
- Deliver projects on time and within budget.
- Resolve security incidents quickly and effectively.
To find out more about our services or arrange a consultation, get in touch today.