A company I worked for was hit with the CryptoLocker ransomware last year. In the aftermath, we found that some security measures were in place and others were not. We all hear that we need “best practices” in place every day to mitigate risks for events such as these. Are we reviewing our best practices regularly to ensure they are in place and working as intended?
Implementing current patches is the key deterrent to events such as the recent WannaCry attacks. If timely patches are not accomplished, risk is elevated for any vulnerabilities in a company.
Let’s cover some ransomware Do’s and Don’t’s:
DO have a “good” backup you can rely upon. How do you know that it is good? You have tested the backups and can be confident the recovery is 100 percent. Relying on the backup itself is not considered a best practice. We were able to recover the encrypted files on a share drive to which the employee’s infected machine had access, and did not pay a ransom.
DO limit who has administrative rights on local machines. No one had administrative rights to their machine in the company I worked at. It is a special request and reserved mostly for developers. We also used a tool that provides administrative rights when necessary, where the function was elevated at the time of need and was not tied continuously to the person or machine. This is an IT industry best practice standard that is not generally done in companies and could alleviate risk by 80% or more.
DO provide continuous cyber security awareness training, with training information posted on the company’s intranet site. Have employees take quizzes on the training to ensure understanding, and provide them as much explanation as possible. After all, this is not a secret – we are all subject to infections, vulnerabilities and risks in using both corporate and personal computers every day.
DO use filtering tools for both Internet use and email tools use. The filters will provide some level of mitigation.
DO patch all machines and devices regularly. Review the recommended updates, and then put them on to the appropriate devices at the earliest opportunity. We often hear of infection when patches have been out for years, yet are not applied. Have a monthly review board to study the patches, their outstanding application, and require a signed justification from the department or system owner if the patch is not applied in timely fashion.
Now a few DONT’S:
DON’T allow personnel to access personal email accounts from work machines. A former company had a setting turned on that enabled this, but virtually everyone has a smartphone now and can get to their personal email and information that way.
DON’T rely on the IT experts by default. Ask them the questions necessary to ensure they are doing their due diligence. That firewall setting allowing access to personal email accounts at my former company was in place for years; they would have been able to have that audited. Different teams in IT should all be discussing their configurations together and determining the best practices necessary, and then advising the CIO or director what needs to be put in place. I had to instruct the network people to turn off the setting NOW. I had no opportunity to review why it was on, whether it was necessary, etc. Just turn it off.
DON’T allow non-standard machines to connect to the network, unless IT can review them and determine their use, and are able to sandbox them, VLAN them, etc. You can’t manage what you don’t know about.
There are many measures that can be taken to mitigate risks. The best approach is to evaluate your environment, infrastructure, systems, and people minimally once a year – and sooner as circumstances dictate – to determine how to strengthen the tools and techniques used to minimize damage when an event occurs.
Yes, an attack at some level will happen to everyone, so being prepared, as a good Girl Scout would say, is the best line of defense.
Cheryl Santor, CGEIT, CISM, CISA, CISSP, former Information Security Manager of Metropolitan Water District of SoCal, Chief Compliance Officer of the ISACA Los Angeles Chapter
[ISACA Now Blog]