September 23, 2021
As a CTO or IT leader, you should work under the assumption that a ransomware attack will happen, not if. The real question is, if the attack is successful, how will it impact your business, and are you ready to respond? Employees working remotely, bringing your own devices, and virtual private network vulnerabilities and misconfigurations are becoming attackers’ most common entry point. Although companies can choose to pay the ransom, the recovery cost and the resulting downtime after the attack, including the reputational damage, can be 10 to 15 times more than the ransom.
Ransomware attackers are getting more and more sophisticated in disguising their attacks, as indicated by the following (source Fryeeye – Threat Research Blog March 16, 2020):
- Initial infection vectors – Most commonly observed: RDP, phishing, and driving by downloads
- Dwell time – In most cases, at least three days pass between the first evidence of malicious activity and the deployment of ransomware
- After hours deployment – In 76% of cases, ransomware was executed outside work hours
Taking a few basic steps can help prevent an attack:
- Patch all software as soon as possible (including operating systems and applications). Although patching is critical to preventing attacks, equally important is making sure your organization has a patch management policy including identification, testing, packaging, and deployment of patches, including a rollback process (if needed) in case something goes wrong.
- Educate users not to click on links; conduct regular phishing training exercises aimed at employees. Several companies offer training, including KnowBe4, which offers user-friendly and effective security awareness training covering pre-and post-training phishing security tests that show you the percentage of Phis-prone end-users.
- Review and enforce the existing password policy; if this has not been applied to all systems, consider increasing the frequency of password changes and complexity of passwords, especially for privileged accounts. Make sure the policy requires passwords to be updated regularly.
- Have anti-virus and anti-malware in place and up to date as recommended by the software vendor. Implement software that provides real-time protection against viruses and malware by monitoring device behavior and terminating processes identified to be malicious or abnormal behaviors.
- Back up all critical systems and data. Define and follow a backup schedule. Regularly test and validate that the backup can recover data to the latest “good” state.
- Implement the principle of least privilege restricting users’ system and application permissions and conduct credential tracking for all user and device credentials.
- Deploy tools that can help you proactively identify and prioritize weak points across your network, including your users. Search for any user on the network and quickly find their recent activity, endpoint data, and the vulnerability on their assets
If your organization has been attacked or needs help preventing an attack, contact Dewpoint for help.