The threat of ransomware attacks has businesses running scared—desperately looking for solutions to keep themselves, their customers, and their data safe.
Unfortunately, while many businesses spend significantly on security controls, their efforts are oftenn’t well-aimed. This leads to inefficient security resource spending, which fails to meaningfully reduce cyber risk and gives businesses a false sense of security.
This week’s article will provide your business's first five steps to protect against ransomware attacks. Look out for next week’s article for the remaining five steps, which will help you complete your preparations and—where necessary—quickly recover from a ransomware infection.
The first thing to understand is that protecting against ransomware doesn’t require a unique approach. It requires precisely the same approach as reducing cyber risk in general.
Everything we’ll cover below—including specific anti-malware defences—is necessary even if ransomware suddenly becomes extinct (unlikely, but we can hope).
The steps below lean heavily on the CIS Controls, a set of 18 security best practices designed to help businesses prioritise their efforts to protect against common cyber attacks. We’ve used the CIS Controls as the basis of our recommendations for two reasons:
When the original version of the Controls was released in 2009, several studies found that implementing just the first five controls (20) was enough to protect against 85% of cyber attacks.
The objective is to demonstrate how simple (albeit not necessarily easy) ransomware protection can be. If you’re inspired to rethink your approach to cyber security, or you’re starting from scratch, you should consider modelling the CIS Controls and using the ordered approach they recommend.
Recording, verifying, and maintaining a list of all hardware and software assets within a business is critical, so critical that this step has been a foundational component of the IT Infrastructure Library (ITIL) framework since the 1980s. The reasoning is simple: You can only monitor and protect assets you are aware of.
The CIS Controls list the ‘Inventory and Control’ of hardware and software assets as separate controls, but we’ve combined them here for simplicity.
The risk of unknown assets isn’t hard to understand. It doesn’t matter how well the rest of your network is secured. If there’s a forgotten server somewhere running an outdated and vulnerable version of Red Hat or Apache, that’s all an attacker needs to gain a foothold in your network. It doesn’t have to be a server, either. It could be any Internet-facing hardware or software asset that has known vulnerabilities.
Basic steps to take include:
When assets are sold—everything from operating systems to servers to popular software applications—their default configurations are typically set for convenience rather than security. Basic configuration settings like open ports, default credentials, DNS settings, and excessive account privileges can make it easy for an attacker to access a network or escalate privileges once inside.
To prevent this, you should set and maintain secure configuration settings for all hardware and software assets within your network. The simplest approach is to ensure assets are configured in line with an established best practice framework such as the CIS Benchmarks, DISA STIGs, or NIST National Checklist Program.
Misusing legitimate credentials and account access is easier for an attacker than ‘hacking’. As a result, your biggest threat is often the people you work with… but it’s rarely because they are malicious. In most cases, people are careless or uneducated about security best practices. This leaves them vulnerable to social engineering and basic password reuse attacks.
Many high-profile breaches have been traced back to simple password reuse attacks, including the massively disruptive ransomware attack against Colonial Pipeline earlier this year.
You should rigorously control user accounts and access levels to minimise these risks, keeping them to the minimum level possible. This includes steps such as:
Known vulnerabilities are frequent targets for hackers and are often built into exploit kits so that even hackers with minimal technical abilities can exploit them. Exploit kits are sold via the dark web and even social media—often at low cost—making known vulnerabilities one of the main sources of cyber risk for most businesses.
Recent research found that the five most common vulnerabilities exploited in ransomware attacks have been publicly known for two to ten years. These attacks are still effective because many businesses haven’t applied security updates and patches from vendors like Oracle, Adobe, and Microsoft.
To counteract these risks, you should continuously assess and fix vulnerabilities within your environment to minimise the window of opportunity for hackers. You need effective, established processes (including appropriate tools) for scanning, prioritisation, and patching/remediation to do this.
Note that you should prioritise vulnerabilities based on their impact on your organisation. CVSS scores can be helpful, but you shouldn’t follow them unthinkingly as they don’t reflect the relative importance of different assets within your environment. For example, a vulnerability with a Critical CVSS score may be of little concern if it only affects a non-business-critical asset.
Email clients and web browsers are common entry points for attackers because they are two main areas where they can interact directly with users.
Attackers use content that entices users to take compromising actions, such as disclosing login credentials, providing sensitive data, or changing settings that allow the attacker to access the network. Common threats include browser exploits, malicious downloads, malicious URLs, social engineering (e.g., via phishing emails), etc.
To fight back, you should aim to improve your ability to detect and protect against email and web-based threats. Some of the most important steps to take include:
Whether starting from scratch or building on an existing cyber security program, making big decisions about protecting your business can be daunting.
At CyberOne, we have over 15 years of experience helping UK businesses build and enhance their cyber security programs. Our consultancy-led approach ensures every customer receives advice and support tailored to their business needs and environment.
If you feel your business would benefit from expert cyber security guidance and support, our technical experts are on hand to help you:
Contact us today to learn more about our services or arrange a consultation.