Your lead IT administrator is on vacation overseas. Richard from marketing clicked a harmless-looking link in an email offering bonus airline miles. A few moments later, across your entire company, your employees’ work is interrupted and they suddenly realize they cannot open their files. Your business stops. Your IT department is staffed with junior-level admins who are immediately inundated with emergency visits and phone calls from seemingly everywhere and everyone. Your vision for that wine-and-dine with the high-profile client you planned this evening assumes a different tone.
What do you do?
Don’t panic. You prepared for this.
Bad — often very intelligent — actors from across the globe are ravenously searching for ways inside your infrastructure, itching to execute code designed to hold your company’s files (and livelihood) hostage. They find their way in, run their code, and encrypt your company’s files. Only they hold the key, and they are often willing to exchange the key for a very large sum.
Many of these nefarious folks are remarkable strategists, often conducting market research and private investigation to determine a well-calculated ransom; one which maximizes their “profits” yet graciously allows you to continue doing business after the encounter.
Extortionists such as CryptoLocker, ThunderCrypt, and WannaCry make it their life’s work to steal yours. Oddly enough, some of these criminals exhibit a bizarre sense of honor. Some of these expert swindlers are reported to provide the best customer service many have ever experienced. They not only keep their word to return your company’s vital infrastructure but offer thoughtfully crafted guidance to harden your network and prevent the same kind of attack from succeeding twice.
We at ITAdOn prefer timely guidance that prevents this kind of attack from succeeding in the first place. We believe you agree.
Preparation requires a diligent evaluation of the holes in your company’s armor. User wisdom, network topography, user permissions, file server configurations, firmware and software fitness, and backup systems must be fully examined against industry best practices. Never stop evaluating. Hold your hardware and software vendors to the same expectation. Collaborate with them on the terms of your contract, especially on the subjects of maintenance and security. After all, it may be their hardware, but it operates on your network.
After concluding this kind of sweeping audit, fortification isn’t easy. But we share your desire to become the hardest possible target! We hope the following philosophies and practices will help protect your company’s vision from this kind of digital extortion.
The Real World
The physical world is often overlooked in IT, but this is the best place to start.
1. Establish protocols for when emergencies happen
For IT departments, this may involve designating a single point of contact (preferably an employee outside IT) to communicate with the rest of the company — freeing up all your human IT capital to restore your systems. Place this single point of contact right outside your IT department’s door if you must.
The more you insulate and protect your IT personnel in the event of company-wide outages or other emergencies, the more effectively they can respond to and diligently resolve the problem. Make emergency rules easy to consult, understand, and follow. Protect your IT folks so they can protect your business.
2. If your business operates in a brick-and-mortar workplace, consider a “kill switch”
Whether a literal or script-initiated switch or merely an effort to make it as easy as possible to sever the connections between computers, it can keep a ransomware virus from propagating to other parts of your network. Providing an easy way to cut power to your network switches is a direct and effective way to accomplish this, and is a better alternative than asking your employees to unplug their workstations in haste. If some or all of your infrastructure is in the cloud, ask your IT admins to produce scripts to accomplish the same thing virtually.
3. Proactively educate your employees on identifying phishing and social engineering attempts
Users are the most common vector for exploiting your network. Truly, the best standing defense against ransomware and other network attacks is a workforce that understands how to identify and respond to risks appropriately.
Network at Large
1. Setting boundaries
After educating employees, only give them as many keys to your kingdom as necessary. Education goes a long way, but setting boundaries within your network is just as important. We wholeheartedly believe in the practice of POLP (Principle of Least Privilege). Designing your workflows with this philosophy ensures your employees possess only the network and file access they need to do their jobs, and no more. Less sophisticated viruses are constrained by the same rules as your users. Do not extend their reach.
2. Whitelist as much as possible
Whether file types, programs, websites, devices, ports, or otherwise, establishing whitelists is a significant undertaking at first, but is well worth your security efforts. In Windows, the environment makes full use of FSRM (File Server Resource Manager) to only accept pre-approved file types; actively rejecting known ransomware file extensions. Configure the permissions for your file shares with POLP. More extreme measures include forbidding the use of mapped network drives, using direct shortcuts to UNC (Universal Naming Convention) paths instead, and taking away the ability to “browse” the files and folders of your shares. Consider using a terminal server (a special remote connection) for approved employees to access sensitive data.
On the networking side, favor whitelists over blacklists for your firewalls, intrusion detection systems, and VPNs. Ports, devices, protocols, and more can be configured using only the specifications your IT team sets in advance. This increases complexity but greatly mitigates risk.
3. Keep firmware and software up to date
Updating too early can have its disadvantages, but do not wait for more than necessary to install updates with security patches. If possible, build and maintain a test environment that closely matches your production environment. Use the test environment to kick the tires on new updates (and test your backups — more on that later).
4. Pay attention to the hardware you don’t own
Whether a VOIP system or a server with a dedicated application, it is quite common to host equipment you do not own on your network. Some vendors are more conscientious than others. From the outset of your relationship with a vendor, do what you can to ensure they take security as seriously as you do. Encourage your IT department to spend adequate time coordinating with — and integrating — third-party solutions as prudently as possible. If they are taking risks on your network and balk when you raise your concerns, evaluate ending your relationship with them. (As a general rule, consider first vendors which allow for easy migration of data in the event they go out of business).
5. Know thy network
Keep an up-to-date inventory of every device, open port, and firmware/software status. Tools such as SolarWinds Network Topology Mapper and others (many open sources) exist to help your IT personnel maintain network inventories and scan for vulnerabilities.
Implement the latest tried-and-true encryption and certification practices for connections within and without your company. For internal resources, make full use of VLANs (Virtual Local Area Networks) to isolate systems from the internet or from one another. If your primary backup solution is onsite, VLANs can also help secure your:
If you haven’t heard it before, we are big believers in the 3-2-1 principle, which is three total backups, two backups of which should be written to different types of media, and one which should be located off-site.
Backups are often the saving grace when ransomware attacks. If running a Windows environment, ensure your backup system uses credentials which your DC (domain controller) does not use! This way, if ransomware finds itself anywhere on your network, authenticating to your backup server and taking your backups hostage is far less likely. Furthermore, conduct your backups such that none of your machines “push” the data for your backups. Configure your backup server to take the lead in connecting to your network and allow it to “pull” the data instead, closing the connection behind it when replication is complete.
Lastly, backups should be tested often! A corrupt backup is no backup at all. Restore backups routinely to ensure their integrity. As mentioned above, this is a great use for a test environment. When a system-level backup is restored for testing, make sure services come online and make sure files open.
The United States government very recently consolidated resources and published a one-stop-shop resource to prevent organizations from falling prey to ransomware attacks at StopRansomware.gov. Seize the opportunity during this global scourge to reevaluate your IT infrastructure from the bottom up; not only to guard your business against ransomware but to ensure you are getting your money’s worth out of your tech investment.
ITAdOn is here: Not only to advise but partner with you. Whether we become your IT department, consult with the one you have, or provide resources to make your own adjustments, we are committed to ensuring the security and effectiveness of your IT infrastructure. Ensure the keys to your business are in good hands.