Every week I see more news about organizations that have fallen prey to ransomware attacks. It just illustrates the fact the ransomware is a lucrative tool for cybercriminals and is therefore going to be plaguing us for the foreseeable future. To be proactive in protecting your organization from this threat, you should ensure that you are following the latest best practices guidance available. So, in this paper I’m going to summarize the best practices recommendations found in the #StopRansomware Guide published by the CISA.
Ensure you have complete knowledge of all of your IT assets, and that you manage them securely.
- You should maintain comprehensive inventories of all hardware, software, firmware, operating systems and data on your systems.
- You should know where all of these IT assets are located at all times, including data.
- You should know the relative value of these assets to your organization and protect them accordingly. This means conducting business impact analyses.
- You should map trust relationships among systems, and you should also map how data flows into and out of these systems. These maps and diagrams should be comprehensive in scope, well protected and stored in multiple locations and forms.
Ensure that the principle of least privilege is strictly applied across your organization. This means that all users should have access to only those IT assets that are necessary to perform their job functions. Those with high-level access to systems such as system administrators should employ very strong access controls and should be highly monitored.
If you use virtual systems, you should ensure that all hypervisors and associated IT infrastructure, including network and storage components, are updated and hardened to the latest best practices recommendations.
Ensure security settings are enabled and applied in cloud environments. Ensure you understand which security responsibilities are yours and which security responsibilities belong to the service provider.
Ensure you have a firm grip on remote access and remote monitoring and management software used on your systems. These mechanisms must be highly monitored and restricted. Ensure secure configuration of these mechanisms is maintained.
Ensure that your network is properly segmented. Separation should be maintained between operational technology and IT. Business units and IT assets should be placed in network segments according to business need.
Ensure that the usage of PowerShell is restricted to specific users on a case-by-case basis by using Group Policy. Typically, only users or administrators who manage a network or Windows OS are permitted to use PowerShell.
Ensure that domain controllers are properly secured to help prevent the spread of ransomware network wide. Ensure that domain controllers receive prompt security maintenance and are include in vulnerability and penetration testing. Harden controllers to only include a minimum of software or agents needed for business purposes.
Ensure that logging from network devices, local hosts and cloud services is verbose, and that these logs are securely stored.
Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behavior.
Ensure that you are conducting security testing, such as vulnerability and penetration studies, of networks and software applications.
Enable tracking prevention to limit the vectors that ad networks and trackers can use to track user information.
Enable website typo protection to limit the possibility of logging onto spoofed websites or other potentially malicious links that could compromise a browser.
Enable browser-based anti-virus for active scanning while browsing as an added layer of defense.
Block website notifications by default to limit a website’s ability to track user data that can be exploited.
Employing all of these best practices recommendations, and monitoring security and government websites for additions and updates to these best practices, will help your organization prevent ransomware attacks, and will also help you deal with them effectively if they occur.