Anti-ransomware strategies should be as easy as ABC

Ransomware is one of those issues that can keep senior staff awake at night, particularly those responsible for keeping a company and its data information safe. They have probably done a good job, but nevertheless stories about major breaches at large institutions can cause a sense of unease.

Typical protections can include filtering all incoming and outgoing email for malicious files and malicious links – often done through an external commercial service.

Often, these scanning services can be extended to cover data exfiltration via email and scanning of a company’s web traffic, which are both recommended.

These days, it is likely that the company will have a few home workers and possibly travelling staff, and their links back to base should be encrypted.

A rigorous backup regime, whether daily, weekly, monthly, or even quarterly or annually, should be in place, alongside regular integrity testing.

What else could the IT security professional be in the process of planning to put in place, or perhaps should have put in place?

Here are a few suggestions, although some of them fall into the category of Motherhood and Apple Pie!

• Ensure that the encrypted links that remote and travelling users use to connect back to base are mutually authenticated – this requires a unique certificate for each remote device and a company-specific certificate for the central sites – and implement multifactor user authentication (MFA). It goes without saying that VPNs should be created directly from a user’s PC, not a router.
• Ensure that the PCs used by remote users and travelling staff force any internet access via the company central site. If a user’s PC can gain internet access, or access to a home or third-party network at times when they are not connected back to base, the PC should be treated as potentially dangerous and appropriate measures put in place to protect the company. An encrypted VPN only protects data in transit, it doesn’t provide other protections to a company’s infrastructure, it just provides a conduit from an infected PC direct into a company’s infrastructure.
• A remote or travelling user’s device should implement start-up security in addition to company network user authentication credentials.
• Security policies, procedures and standards should be clear, up to date and readily available via a company intranet. A regular (annual or better) company audit should ensure that these are in fact up to date and used.
• Run regular poster campaigns highlighting the latest scams and giving advice about identifying malicious actors. Put a friendly face to the advice and a cartoon or three won’t go amiss. Don’t forget to give contact details for advice and highlight “no blame”. A regular blog on the company intranet with emails highlighting a new blog would also work well and would neatly cover home, remote and traveling staff. Target this so that a user can take and use that advice at home. 
• Users should not have, or be given, local administrator access to their own company-provided device.
• Consider implementing “time of day” user access controls, such as restricting access to specific parts of the company infrastructure and services during recognised out of hours. Along with these “time of day” restrictions, users could be restricted based on where they are accessing from and what device they are using. For example, a user accessing from the internet from a personal device could be restricted to just email.   
• Ensure that authentication, authorisation and accounting (AAA) systems permit the use of and are used to ensure that least privilege and need-to-know restrictions are applied to all accounts, without exception. For example, a departmental head does not, as a general rule, need write and/or read access to every file, and someone in sales does not need access to HR files, and so on. A person who has widespread write access would wreak havoc if their PC were infected.
• The AAA system needs to be updated in a timely fashion whenever a staff member or contractor leaves, goes on extended leave or moves to another function or job. AAA groups and roles should be regularly reviewed and updated.
• Consider implementing MFA for all access.
• For any and all applications, change any default or built credentials (username and password).
• Consider implementing mutual authentication between applications based on the use of certificates.
• Website form input boundary and forbidden character checking.
• Intrusion detection and scanning of the internal network for unusual activity.
• Segregated network infrastructures with security features between each segment. A segment for each company department – finance, HR, sales, development, etc. 
• Key and critical or sensitive data held in a dedicated network segment with access via a security gateway.
• Ensure that online backups are themselves backed up up offline to protect against an online backup being compromised. 
• If running a bring-your-own-device (BYOD) policy, remote access should be terminated on a dedicated network, implementing time-limited restricted service access to the main network, and then only via proxy devices.
• Implement ransomware detection on file servers and database servers.