KEY TAKEAWAYS

How to Prevent ■ Avoiding successful ransomware attacks depends on

three key areas.

Ransomware ■ Security processes around incoming file control and

network traffic visibility take priority.

Attacks ■ Zero-trust practices further reduce the likelihood of a

successful ransomware attack.

5 Strategies for ■ People play a key role in cybersecurity.

Success ■ Technology implements security policies and helps

people.

Executive Summary presented by Curtis Franklin,

Senior Analyst, Security Operations, Enterprise
Security Management, Omdia, Anthony
Giandomenico, Practice Director - Fortiguard
Responder Services, Fortinet, Karin Shopen Bar,
Cybersecurity Strategy, Product Marketing, Fortinet

PAGE 1

OVERVIEW
Ransomware can wreak havoc on a business, actively
encrypting system data and demanding direct payment and
untraceable cyber currency. A successful ransomware attack
makes it nearly impossible to undo without keys for unlocking
the encryption. As a result, current IT backup and restore
strategies may no longer suffice to meet cybersecurity needs.
Cyber resilience requires a three-part approach to security:
process, people, and technology. Companies need to
understand where gaps exist in all of those areas and how to
bring processes, people, and technology together under a
unified, security-first practice.
Process
People Technology
Executive Summary - How to Prevent Ransomware Attacks
KEY TAKEAWAY #1
Avoiding successful ransomware attacks depends on
three key areas.
Ransomware threat actors are typically not individuals, but
rather organized entities, with policies and practices, much
like any corporation. However, ransomware is not often the
domain of sophisticated actors or well-written software. They
are brute force attacks—a digital representation of extortion.
In today’s digital world, ransomware attacks are unavoidable.
However, companies can focus on three key areas to avoid
successful ransomware attacks: process, people, and
technology.
“Technology often promises a ready fix to the
problem. The issue is that unless we have our
processes down pat, we don’t know what the
technology is really supposed to do in the context of
our business. It’s critical that we understand how to
use the technology, how the people will benefit from
it, and how it all puts process into action.”
Curtis Franklin, Omdia
PAGE 2
 Executive Summary - How to Prevent Ransomware Attacks

KEY TAKEAWAY #2
Security processes around incoming file control and network traffic visibility take priority.
It is critical to start security efforts with a focus on process. ▪ Network traffic visibility. Consistently and regularly
Processes shape and support a company culture that does update the known picture of your organization’s network,
not encourage employees to ignore security and work around applications, and users. This is especially critical, but also
security controls. An emphasis on efficiency, effectiveness, and especially difficult, when dealing with multi-cloud or hybrid
productivity at all costs, for example, encourages employees to applications. Having a process to clearly understand the
bypass security to decrease friction. status of applications and who users are and what they are
authorized to do in the environment, and requiring that
There are two process areas which to prioritize: incoming file
process to be regularly applied, by policy, creates a baseline
control and network traffic visibility:
of what normal network behavior is. This up-to-date baseline
▪ Incoming file control. Email is the most common attack vector then makes it easier to flag and block abnormal behavior.
for ransomware. In most cases, a ransomware attack begins by
convincing an employee to download a malicious file or click a
link to a malicious website; therefore, methods of file exchange
should move away from email and toward alternatives such as
dedicated file repositories that require proper authentication
or internal collaboration platforms. Using exceptionally
paranoid email filters will add another layer of security.
In the event that a malicious file enter the system, it is usually
an initial loader of a ransomware payload. These loader files
often depend on exploiting out-of-date software on various
system components. Having strong patching and updating
practices in place go a long way toward blocking initial
loaders from downloading the ransomware payload. Strong
configuration management practices, especially for systems
that are Internet-facing, are also critical in blocking initial
loaders. Defining and applying maximally secure configurations
should be incorporated into company security policy.

PAGE 3
 Executive Summary - How to Prevent Ransomware Attacks

KEY TAKEAWAY #3
Zero-trust practices further reduce the likelihood of a successful ransomware attack.
In addition to prioritizing incoming file control and network are not new. Server Message Block (SMB), which is one of the
traffic visibility, using access controls, such as multifactor most common ways of moving files between organizational
authentication, across all applications creates a serious systems, should not be used for security reasons. And while
impediment to threat actors. Organizational policy should also Remote Desktop Protocol (RDP) can be useful, it is critical to
use least-privilege access everywhere to diminish the power have secure configurations in place and enforced.
of any individual user to be a conduit for ransomware, as to
There is a vast difference between having backup, in general,
gain access for an attack, a threat actor has to gain privilege
and having effective backup, particularly backup that is effective
escalation. Limiting access, coupled with security policies that
against ransomware. Effective backup involves maintaining
include regular patching and updating, makes successful
current updates through daily backup in multiple tiers that can
attacks unlikely. As part of a least-privilege access policy,
be taken offline and carefully scanned for malware.
security processes should include policing users and accounts
to revoke any unnecessary or unused privileges. To avoid a successful malware attack, have a plan, make sure
everyone in the organization knows what that plan is, and
A key piece of zero trust is network segmentation. By segmenting
practice putting the plan into effect at least once or twice a year.
the network, the organizational impact of any attack is severely
limited, especially if tied to least privilege. As part of a zero-trust
strategy, do not assume that a partner will have the same level “We should prepare for the unknown that may hit
of security as your own organization. While partner relationships
. . . but there’s also a lot that we should do better to
are important and beneficial, mismatched security can result
address what is already known—patch our system
in a disastrous breach. Have policies in place to verify the traffic
coming from partners, or even to verify their security. and be prepared when someone is usually using
a vulnerability either in our technology or in our
As part of process evaluation for security, reviewing software people.”
and protocols in use plays an important role. Because an initial
Karin Shopen Bar, Fortinet
loader file, and not the ransomware itself, is typically the first
malware to land, having up-to-date anti-malware software and
signatures can stop an attack before it starts, as most loaders

PAGE 4
 Executive Summary - How to Prevent Ransomware Attacks

KEY TAKEAWAY #4
People play a key role in cybersecurity.
Once you have good processes in place, it is important that “Don’t make training and culture fight one another. If
your employees know what those processes are and how to you have a culture that says it’s okay to work around
put them into practice. Begin with comprehensive, regular security, then your employee isn’t the problem. The
cybersecurity awareness training to teach employees what a
culture is the problem.”
ransomware attack looks like, covering phishing and all other
Curtis Franklin, Omdia
threat vectors. Even five minutes per week, every week, of
training can be highly effective.
Empower employees to act on their training, as well, such
as providing a path to send suspicious emails or links to
the security team review or supporting choices to ignore
potentially malicious messages. Incorporate security into the
company culture and make sure that secure behavior starts at
the very top.
Ongoing training and testing reinforces and improves security.
Training cannot be a one-time event. It should be view and
implemented as a valuable part of the business.

PAGE 5
 Executive Summary - How to Prevent Ransomware Attacks

KEY TAKEAWAY #5
Technology implements security policies and helps
people.
In today’s IT landscape, malware often lives on a system long
before anyone realizes, averaging months between a malware
file’s entry and its moment of discovery. One of the goals of
technology is to minimize that “dwell time.” Once a ransomware
attack is launched, it is “noisy.” Automation technology can
identify malware based on behavioral patterns, raising alarms
and stopping the attack in its quiet phase (usually when data
exfiltration occurs), in a matter of seconds—not months.
Using technology this way helps IT and security employees
recognize attacks early and stop them before they are
successful, saving time, expense, and in some cases the
business itself.

“[Do not] just plug the holes in the dam. Have

someone come in, and do a ransomware assessment.
Look at all the different gaps so you’ve got more of
a complete picture of how secure—or insecure—you
are . . . really look at it holistically.”
Anthony Giandomenico, Fortinet

PAGE 6

BIOGRAPHIES
Curtis Franklin, Senior Analyst, Security Operations,
Enterprise Security Management, Omdia
Curtis Franklin Jr. is a Senior Analyst at Omdia, focusing on
security operations and enterprise security management.
Curtis has been writing about technologies and products in
computing and networking since the early 1980s. He has been
on staff and contributed to technology industry publications
including BYTE, ComputerWorld, CEO, Enterprise Efficiency,
ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark
Reading and ITWorld.com on subjects ranging from mobile
enterprise computing to enterprise security and wireless
networking.
Previously, he was senior editor of Dark Reading; editor of Light
Reading’s Security Now; and executive editor, technology, at
InformationWeek, where he was also executive producer of
InformationWeek’s online radio and podcast episodes.
Curtis is the author of thousands of articles, the co-author of
five books and has been a frequent speaker at computer and
networking industry conferences across North America and
Europe. His most recent books, Cloud Computing: Technologies
and Strategies of the Ubiquitous Data Center and Securing the
Cloud: Security Strategies for the Ubiquitous Data Center, with
co-author Brian Chee, are published by Taylor and Francis.
Executive Summary - How to Prevent Ransomware Attacks
Anthony Giandomenico, Practice Director - Fortiguard
Responder Services, Fortinet
Anthony Giandomenico has 30 years of comprehensive
experience as an executive, entrepreneur, mentor, and security
consultant for companies within information security across all
industries. In his current position at Fortinet, he is responsible
for all aspects of the FortiGuard Responder services including
P&L, marketing activities, service delivery, and new service
development.
He has presented, trained, and mentored on various security
concepts and strategies at many conferences and trade shows
such as the Gartner Security Summit, HIMSS15, and ISMG
Data Breach Summit and media outlets including a weekly
appearance on KHON2-TV morning news “Tech Buzz” segment
and Technology News Bytes on OC16, providing monthly
security advice among others.
Karin Shopen Bar, Cybersecurity Strategy, Product
Marketing, Fortinet
Karin Shopen Bar is leading product marketing for the Fortinet’s
FortiGuard portfolio, including FortiGuard Labs, FortiGuard
AI-Powered Security Services and FortiGuard Consulting and IR
Services. She is passionate about building trust in technology
to support the creation of secure and safe connections between
people and systems to facilitate innovation and growth.
PAGE 7