The Ransomware Profile released by the National Institute of Standards and Technology (NIST) outlines security capabilities and measures that help to identify, protect against, detect, respond to, and recover from ransomware events. Even if you cannot undertake all the security measures we described, you can still take some basic ransomware prevention steps to strengthen your security. Here are 21 basic ransomware prevention tips divided into five categories. Take these steps to immediately improve your protection against ransomware attacks.
Educate Employees
Educate your employees on cybersecurity risks to mitigate the likelihood of a human error and avoid ransomware infections. It is highly recommended you conduct comprehensive cybersecurity training for all your employees. But organizing such training takes time, so here are some tips you can send to all your employees even today:
- Do not open unknown files
- Do not click on unknown links
- Do not use personal applications such as chats, emails, and social media from work computers
- Do not connect personally owned devices (e.g., smartphones, tablets, and laptops) to work networks without prior authorization
Many companies underestimate the importance of cybersecurity training for their employees. Human error is one of the most common reasons for the success of cyberattacks that lead to unauthorized access. Malicious actors use tactics ranging from password-breaking techniques to full-on phishing attacks to scam schemes to gain access to an unprotected account or corporate network. But ransomware is especially frightening because your workforce can get infected without anybody ever breaking a single credential and ever talking to any of your employees. A single malicious link your employee clicks can lead to a company-wide ransomware infection.
Each company should have a clearly defined Bring Your Own Device (BYOD) policy. As a rule of thumb, employees should not be allowed to connect any personally owned devices without prior authorization of that device. Each employee should know that they have to contact their administrator to request the use of their private phone for work before they use it. In addition, employees should not use their work devices to access personal applications such as chats, emails, and social media.
Avoid Vulnerabilities
If your infrastructure has any vulnerabilities, chances are malicious actors will try exploiting these vulnerabilities to do you harm. The bad news is hackers are very likely to use a vulnerability as a way of entrance to your corporate network. The good news is there are steps you can take to remediate this risk:
- Keep all relevant systems patched and updated
- Adopt Zero Trust in all network systems
- Allow installation and execution of authorized applications only
- Inform your technology vendors of your expectations
After a vulnerability is found in software, developers immediately start working on a patch. Newer versions of software often contain fixes to vulnerabilities discovered in previous versions. Hackers often use vulnerabilities still prevalent in older software. As a result, frequent updates of your systems and applications cut hackers away from the possibility of exploiting such vulnerabilities. It may be a good idea to turn on automatic updates whenever possible and schedule frequent checks for new versions of software.
Moreover, you should adopt the principles of Zero Trust to significantly increase the resilience of your systems. Segmentation of your internal networks will prevent ransomware from proliferating across your infrastructure.
All operating systems and third-party software in your company should be configured in a way that does not allow running unauthorized applications unless these applications belong to the allow list. You should devise a plan to review, add, and remove applications from the allow list.
Finally, yet importantly, let your technology vendors know that you want them to apply measures that discourage ransomware attacks. Be open and transparent about your requirements.
Detect Ransomware
You have to take action long before any hacker even thinks about infecting your network with ransomware. Here are the most important things you should do to consolidate your infrastructure:
- Use antivirus and antimalware software
- Continuously monitor directory services and other user databases for signs of compromise
- Block access to untrusted web resources
Every device in your network should be protected with active antivirus and antimalware software. You should create a uniform policy that runs update checks and scans the device in search of anomalies. Set your software to scan emails and flash drives automatically.
Directory services such as Active Directory and other identity providers and user databases such as FreeRADIUS, OpenLDAP, FreeIPA, SQL databases, and more should be continually monitored for indicators of unexpected changes, irregular behavior, and active attack.
Use products and services that allow you to block access to IP address ranges, ports, server names, and protocols that have been known to be suspicious or malicious in the past. Protect the integrity of your domain names.
Stop Ransomware
Prevention is key, but you need to know how to minimize damage should you fall victim to a ransomware incident. Your company needs a way to rapidly detect and thwart a ransomware attack before it spreads and infects important files in your network. Here are multiple best practices to implement and use now:
- Deploy Multi-Factor Authentication (MFA) on all user accounts
- Use standard user accounts whenever possible
- Follow the principle of minimum privilege
- Implement authentication delays or automatic account lockout
- Store data in an immutable format
- Allow external access to your corporate network only via a secure virtual private network (VPN) connection
One of the most important things you can do to prevent a ransomware attack is to deploy Multi-Factor Authentication (MFA) on all your accounts. Enable MFA on corporate VPNs, cloud applications, Windows Logon, Remote Desktop, RD Gateway, RD Web, and Linux to ensure streamlined protection against threats.
Company-wide implementation of MFA dramatically improves the likelihood of stopping a hacker before they access your network and resources. Naturally, a ransomware infection can start from a malicious link clicked by an employee already connected to your corporate network. In this case, Multi-Factor Authentication can stop ransomware from proliferating by protecting each service in your workforce. Let’s assume the worst. Your employee has clicked a malicious link. Ransomware infected the files in one part of your infrastructure. Thankfully, your MFA is on, and your company sticks to the principles of Zero Trust. Thanks to this, you can isolate and contain the ransomware attack on one part of the system.
A high percentage of attacks starts from a malicious actor gaining access to an account with privileged access or administrative rights. You should use standard user accounts whenever possible to mitigate the scope of a potential attack. Consequently, always follow the principle of minimum privilege and always grant only permissions that are essential at the time.
There are many different kinds of attacks. But many hackers use the most primitive of them: brute force. To fight against this type of attack, you may want to consider implementing authentication delays that require some time between consecutive failed log-in attempts. You should also temporarily lock out an account after several failed log-in attempts. Even something as simple as locking an account for one hour after three failed log-in attempts can successfully stop an attacker from succeeding.
During a ransomware attack, your files get encrypted. Then, hackers demand a ransom for the decryption key. To fight that, you should store your data in an immutable format to make it impossible to tamper with, modify, encrypt, and delete.
Importantly, any external access to your internal network should only be possible via a secure virtual private network (VPN) connection. Secure all VPN connections with Multi-Factor Authentication (MFA) to dramatically increase the security of your corporate network.
Recover After Attack
Ransomware attacks come with high reputational and financial costs. You have to ensure that your critical infrastructure and lost data can be rapidly restored after a potential ransomware incident. Here’s what you can do now to facilitate the restoration of stored data and prepare your company for future ransomware events:
- Make an incident recovery plan
- Create and secure data backups
- Test your restoration strategy
- Keep a list of contacts
Make an incident recovery plan. Your incident recovery plan should outline the priority of recovery. Restore your critical resources first to ensure the continued operability of your services. After you finish your incident recovery plan, you should test it to find loopholes and possible ways of improving it. Testing your plan gives your employees a better understanding of their role in the plan.
Remember that you must perform frequent backups of your data. Backups should be immutable, secure, and kept offline to prevent the possibility of a ransomware attack infecting the backup.
Finally, you should create and manage a list of external and internal contacts you can notify in the event of a ransomware incident. The contact list should include law enforcement, incident response sources, and legal counsel.
MFA Is Your #1 Prevention Tool Against Ransomware
While regular backups, an incident recovery plan, and other tips described in this article are all essential tools for ransomware attack prevention and remediation, Multi-Factor Authentication (MFA) may be the most important of them all. Especially if you couple Multi-Factor Authentication with Adaptive Authentication (Risk-Based Authentication) and abide by the principles of Zero Trust.
Ransomware represents a clear and present danger to companies from all sectors. Do not wait until the bad guys access your network. Start a Free 30-Day Trial of Rublon Multi-Factor Authentication today.
