Ransomware Risk Mitigation Part 2

This is part 2 of our series on ransomware risk mitigation. In part 1 of this series, we examined three important steps to perform to help reduce the risk of your organization from getting a ransomware attack. Part 2 of our series examines four additional steps to help prevent a ransomware attack.

Filter and Segment Network Traffic

Filtering traffic within the network is an effective way to slow down an already spreading ransomware attack.

Network filtering employs methods to “filter” the network traffic coming in from the Internet and going out to the Internet. For the smaller organization, this is typically implemented at the Internet firewall. For the larger company, deploying specialized hardware is recommended as this filtering can take a significant amount of performance away from your Internet firewall.

Network segmentation divides up the internal network in to “segments” or groups of computers. These segments are configured around workgroups (say, administration and production) and security considerations (local computers, guest computers, VPN connections, servers). Network segmentation can result in a complex network environment, and because of the way segmentation is configured, it can stop the spread of a ransomware attack. For instance, if production is attacked, it is unlikely the attacker can get to the administration segment.

If your company has equipment known as SCADA devices, which configure and collect data on equipment such as power generators, lift pump stations, and heavy production machinery, you will also want to segment these devices into their own management network. In fact, the SCADA network should be completely isolated from your administrative networks either by physical disconnection or by using a privileged workstation and jump boxes, combined with VPN connectivity.

Network segmentation and filtering are advanced technologies, and we recommend engaging with a qualified networking security expert to deploy them properly and securely.

Update Software

Updating software is the oldest ransomware prevention technique, and it is one of the most effective. If you were to take a close look at any number of recent ransomware articles, you would find a common thread: the criminals took advantage of old software or old hardware that had not been updated (or patched) to the current security levels.

Many of the attacks could have been avoided with patching the systems.

Developing a method and timeframe for patches is an important task in your ransomware prevention checklist. We recommend developing:

1. patch frequency policies for each type of device on your network.
2. a way to monitor when a vendor releases a critical security patch outside of their normal patch release calendar. For instance, you can sign up for email alerts for security patch releases from most major networking vendors, such as SonicWall, Cisco, and HP.
3. a way to audit for computers or devices which are running old or outdated software or are outside of support from the vendor. Sometimes running old hardware is not avoidable, but if you need to run the old hardware, special security measures should be set up to mitigate any possible security problems.

If your environment is large, an automated tool is the most effective way to keep up with patches.

Limit Access to Resources Over Networks – Especially by Restricting RDP Traffic

Remote Desktop Protocol (RDP) is the “language” Microsoft Remote Desktop Servers speak. Remote Desktop Servers were once a popular way to remotely access network resources over the Internet. In recent years, they have become less popular, but if you have a network with a Windows server, Remote Desktop is probably still enabled.

Remote Desktop is not bad in itself as it can be a valuable management tool for IT administrators, but it needs to be configured and protected properly. Here are a few tips for securing Remote Desktop:

1. Administratively disable Remote Desktop on desktop computers. If a few users do need Remote Desktop enabled on a desktop computer, manage them like servers or consider deploying a Remote Desktop Server.
2. Do not enable RDP connectivity through your firewall without a VPN connection.
3. Enable all audit logging everywhere you have Remote Desktop enabled.

Set Antivirus and Antimalware Software to Perform Regular Scans

We have seen all types of configuration lapses but deploying antivirus and antimalware software without regularly scanning all devices on the network is a big oversight. In addition to regular, automated scans, the software itself should also have an upgrade/update schedule. Here is what we recommend for Anti-virus configuration and management:

1. All end user computing devices need antivirus software installed on them.
2. Administratively configure weekly scans – we recommend late on a weeknight.
3. Deploy the server versions of the software to servers as needed.
4. Configure real-time alerting and logging so IT staff is alerted to potential virus activity.
5. Configure the software so the end user cannot disable it or uninstall it.

In our next blog and the third in this series, we’ll be exploring what steps you can take to recover your data if a ransomware attack still occurs.

This week’s post is by Tim Malzahn, Principal Consultant at Malzahn Strategic