Professional Documents
Culture Documents
How To Prevent Ransomware Attacks
How To Prevent Ransomware Attacks
PAGE 1
Executive Summary - How to Prevent Ransomware Attacks
Process
“Technology often promises a ready fix to the
problem. The issue is that unless we have our
processes down pat, we don’t know what the
technology is really supposed to do in the context of
our business. It’s critical that we understand how to
use the technology, how the people will benefit from
it, and how it all puts process into action.”
Curtis Franklin, Omdia
People Technology
PAGE 2
Executive Summary - How to Prevent Ransomware Attacks
KEY TAKEAWAY #2
Security processes around incoming file control and network traffic visibility take priority.
It is critical to start security efforts with a focus on process. ▪ Network traffic visibility. Consistently and regularly
Processes shape and support a company culture that does update the known picture of your organization’s network,
not encourage employees to ignore security and work around applications, and users. This is especially critical, but also
security controls. An emphasis on efficiency, effectiveness, and especially difficult, when dealing with multi-cloud or hybrid
productivity at all costs, for example, encourages employees to applications. Having a process to clearly understand the
bypass security to decrease friction. status of applications and who users are and what they are
authorized to do in the environment, and requiring that
There are two process areas which to prioritize: incoming file
process to be regularly applied, by policy, creates a baseline
control and network traffic visibility:
of what normal network behavior is. This up-to-date baseline
▪ Incoming file control. Email is the most common attack vector then makes it easier to flag and block abnormal behavior.
for ransomware. In most cases, a ransomware attack begins by
convincing an employee to download a malicious file or click a
link to a malicious website; therefore, methods of file exchange
should move away from email and toward alternatives such as
dedicated file repositories that require proper authentication
or internal collaboration platforms. Using exceptionally
paranoid email filters will add another layer of security.
In the event that a malicious file enter the system, it is usually
an initial loader of a ransomware payload. These loader files
often depend on exploiting out-of-date software on various
system components. Having strong patching and updating
practices in place go a long way toward blocking initial
loaders from downloading the ransomware payload. Strong
configuration management practices, especially for systems
that are Internet-facing, are also critical in blocking initial
loaders. Defining and applying maximally secure configurations
should be incorporated into company security policy.
PAGE 3
Executive Summary - How to Prevent Ransomware Attacks
KEY TAKEAWAY #3
Zero-trust practices further reduce the likelihood of a successful ransomware attack.
In addition to prioritizing incoming file control and network are not new. Server Message Block (SMB), which is one of the
traffic visibility, using access controls, such as multifactor most common ways of moving files between organizational
authentication, across all applications creates a serious systems, should not be used for security reasons. And while
impediment to threat actors. Organizational policy should also Remote Desktop Protocol (RDP) can be useful, it is critical to
use least-privilege access everywhere to diminish the power have secure configurations in place and enforced.
of any individual user to be a conduit for ransomware, as to
There is a vast difference between having backup, in general,
gain access for an attack, a threat actor has to gain privilege
and having effective backup, particularly backup that is effective
escalation. Limiting access, coupled with security policies that
against ransomware. Effective backup involves maintaining
include regular patching and updating, makes successful
current updates through daily backup in multiple tiers that can
attacks unlikely. As part of a least-privilege access policy,
be taken offline and carefully scanned for malware.
security processes should include policing users and accounts
to revoke any unnecessary or unused privileges. To avoid a successful malware attack, have a plan, make sure
everyone in the organization knows what that plan is, and
A key piece of zero trust is network segmentation. By segmenting
practice putting the plan into effect at least once or twice a year.
the network, the organizational impact of any attack is severely
limited, especially if tied to least privilege. As part of a zero-trust
strategy, do not assume that a partner will have the same level “We should prepare for the unknown that may hit
of security as your own organization. While partner relationships
. . . but there’s also a lot that we should do better to
are important and beneficial, mismatched security can result
address what is already known—patch our system
in a disastrous breach. Have policies in place to verify the traffic
coming from partners, or even to verify their security. and be prepared when someone is usually using
a vulnerability either in our technology or in our
As part of process evaluation for security, reviewing software people.”
and protocols in use plays an important role. Because an initial
Karin Shopen Bar, Fortinet
loader file, and not the ransomware itself, is typically the first
malware to land, having up-to-date anti-malware software and
signatures can stop an attack before it starts, as most loaders
PAGE 4
Executive Summary - How to Prevent Ransomware Attacks
KEY TAKEAWAY #4
People play a key role in cybersecurity.
Once you have good processes in place, it is important that “Don’t make training and culture fight one another. If
your employees know what those processes are and how to you have a culture that says it’s okay to work around
put them into practice. Begin with comprehensive, regular security, then your employee isn’t the problem. The
cybersecurity awareness training to teach employees what a
culture is the problem.”
ransomware attack looks like, covering phishing and all other
Curtis Franklin, Omdia
threat vectors. Even five minutes per week, every week, of
training can be highly effective.
Empower employees to act on their training, as well, such
as providing a path to send suspicious emails or links to
the security team review or supporting choices to ignore
potentially malicious messages. Incorporate security into the
company culture and make sure that secure behavior starts at
the very top.
Ongoing training and testing reinforces and improves security.
Training cannot be a one-time event. It should be view and
implemented as a valuable part of the business.
PAGE 5
Executive Summary - How to Prevent Ransomware Attacks
KEY TAKEAWAY #5
Technology implements security policies and helps
people.
In today’s IT landscape, malware often lives on a system long
before anyone realizes, averaging months between a malware
file’s entry and its moment of discovery. One of the goals of
technology is to minimize that “dwell time.” Once a ransomware
attack is launched, it is “noisy.” Automation technology can
identify malware based on behavioral patterns, raising alarms
and stopping the attack in its quiet phase (usually when data
exfiltration occurs), in a matter of seconds—not months.
Using technology this way helps IT and security employees
recognize attacks early and stop them before they are
successful, saving time, expense, and in some cases the
business itself.
PAGE 6
Executive Summary - How to Prevent Ransomware Attacks
PAGE 7