Ransomware is back in full force these days and is now a profitable business model. Companies need to be prepared to minimize the damage if a compromise happens.
Here are some key points to consider:
- Patch: Patch, patch, patch, we’ve all heard it, but another reminder. Patch your systems consistently. This includes both Operating System patches, but also third-party applications like Chrome, Java, Flash, Silverlight that are all commonly exploited.
- Shared Drives: Limiting access to shared drives by department or smaller groups can save pain. Ransomware will encrypt what it can get to. Make sure it does not have access to everything.
- Backups: Have backups that are not be accessible by a ransomware infection. Put backups on SANS or other forms of storage that will not allow encryption from a workstation or put it offsite and inaccessible to a workstation infection. Don’t keep backups only on servers. Allow teams to practice and develop processes to restore a server and shared drives from backups or scratch.
- Disaster Recovery: Plan and test failover options for various critical systems, such as email and authentication. Figuring out how to failover after things are broken is much harder than doing it during a controlled test.
- Train your staff: Train employees to recognize malicious links and targeted emails that attempt to gain access. Give them reminders of what a legitimate company email would look like, versus examples of malicious attempts, will help keep employees be aware of the threat horizon. Staff should also be trained to recognize and be caretakers for regulated data.
- Incident Response: Have designated Incident Response team members that have allocated time to practice and document an incident response plan. Knowing what to do when something happens is half the battle.
- Alerting and Logs: Validate that there are alerts in place and that someone is checking for when machines are accessed by odd remote locations. If a workstation is getting accessed from Russia, it is critical that someone is aware and responding to that. Logs will be critical to determine what was compromised
Stay one step ahead of issues that lead to ransomware compromise. Get an assessment and develop plans to implement them.
About the Author
Alice Liu is a cybersecurity professional that has worked both incident response and operations. With extensive experience managing incidents, forensics, and their declarations along with audits and implementing security solutions across complex business environments. She runs ALT-C Consulting, headquartered in Sacramento, CA.
Cybersecurity and Incident Response Consultant, CISSP, HCISPP, and CEH