Ransomware Prevention
By Matt Komac, Assistant Director - PC Pool Operations
Ransomware attacks are on the rise, and they are targeting schools due to the sensitive information and important records they possess. A ransomware attack is thus one of the most disruptive and costly incidences a School District can suffer. Aware of these risks and their costs, Beazley – MSGIA’s Cyber carrier – along with Lodestone Security, has developed the following best practices to help you prevent these incidents from occurring.
Ransomware Life Cycle
1. Initial compromise of your environment
· Criminal groups target your organization with a phishing campaign, and malware is successfully delivered to one of your unsuspecting users via a malicious attachment or web link via email.
2. Malware is installed
· The user opens the attachment or clicks on the link, and the malware is unknowingly installed on the user’s PC. The attackers now have a foothold in your environment. Using this foothold, the hackers explore your network undetected, looking for vulnerable systems and sensitive data.
3. Ransomware is deployed
· The criminal group has achieved the access they need and can deploy a strain of ransomware, which spreads across your network encrypting indiscriminately. The attackers have now encrypted your data and are in control.
4. Extortion
· The attackers then demand money, commonly bitcoin, for the decryption key. Without proper backups (which hopefully weren’t also compromised), your data could be lost forever.
Protecting Your School District Against Ransomware - Minimum Controls
· Deploy and maintain a well-configured and centrally-managed anti-virus solution: A robust anti-virus solution is a basic component of any security program.
· Email tagging: Tag emails from external senders to alert employees of emails that originate outside your school.
· Email content and delivery: Enforce strict Sender Policy Framework (SPF) checks for all inbound email messages verifying the validity of sending organizations. Filter all inbound messages for malicious content, including executables and macro-enabled documents.
· Office 365 add-ons and configuration: Enable two-factor authentication and use Office 365 Advanced Threat Protection.
· Macros: Disable macros from automatically running, especially if they are not needed.
· Patching: Rapidly patch critical vulnerabilities across endpoints and servers.
· Media usage controls: Put in place controls on the insertion and/or use of media that does not carry appropriate authentication/media identifiers.
· Well-defined and rehearsed incident response process: Helps mitigate losses and rapidly restores business operations after a ransomware attack.
· Back-up key systems and databases: Ensure regular back-ups, which are verified and stored safely online. Please check backups regularly!
· Educate your users: Most attacks rely on users making mistakes; so, be sure to train your users to identify phishing emails that use malicious links or attachments.
Baseline Measures for Stronger Protection
· Establish a secure baseline configuration: Malware relies on finding gaps to exploit. A baseline configuration that conforms to technical standards such as the Center of Internet Security benchmarks can help plug those gaps.
· Filter web browsing traffic: Web-filtering tools help to prevent users from accessing malicious websites.
· Use protective DNS: This helps deny access to known malicious ID addresses on the internet
· Manage access effectively: Ransomware doesn’t have to go viral in your school. Put in place appropriate measures for general-user and system-access across your network. Put in place appropriate measures for privileged access for critical assets (serves, end-points applications, databases, etc.). Enforce multi-factor authentication where appropriate.
· Regular testing of back-ups: Reduces downtime and data loss in the event that you need to restore back-ups after a successful ransomware attack.
· Disconnect back-ups from your school network: Prevents back-ups from being accessed and encrypted by ransomware in case of a successful attack on your main network.
· Separately stored unique back-up credentials: Prevents bad actors from accessing and encrypting back-up data.
Practices That Will Provide the Best Protection
· End-point detection and response (EDR) tools: EDR solutions monitor servers, laptops, desktops, and managed mobile devices for signs of malicious or unusual activity. These solutions also enable nearly immediate responses by trained security experts. When effectively deployed and monitored, EDR tools are one of the best defenses against ransomware and other malware attacks.
· Comprehensive centralized log monitoring: The centralized collection and monitoring of logs – using a Security Information and Event Management (SIEM) system – identifies threats that breach your internal defenses.
· Subscription to external threat intelligent services: Provides access to external services that provide details of developing attacker tactics, techniques and procedures. They also provide access to the database of bad websites, mail attachments, etc.
· Encrypted back-ups: Prevent the use of back-up data by bad actors if accessed in a breach.
· Network segregation: Access controls implemented within the network environment to limit access and/or traffic flow. A well-configured firewall ruleset ensures that only the required traffic can flow from one segment to another.
Return to newsletter