Seven Steps to Protect Against Ransomware

As we prepare to enter a new year, I’m going to share some advice that could spare you vast misery and expense—tips on how to protect your IT resources from the threat of ransomware.

Recently I wrote about the unfortunate uptick in ransomware—in which a hacker or other bad actor gains access to your network and encrypts all of your data, making it unusable unless a ransom is paid, and assuming they follow through by sending you the digital key to decrypt your data. More recently, I provided a closer look at ransomware attacks and how they have changed over time. So, we all know ransomware is out there. Unfortunately, because of automated programs, you can be attacked regardless of how out of the way you might think your business is. (Who would want to attack my little business?) With automated malicious software (malware) attacks, the phishing e-mails and other attack vectors can simply be put on fast forward, ready to infect anyone who happens to open a malware link.

All of this means that protection is mission critical. You must do all you can to ensure your IT resources are secure—and securely backed up. What follows are seven steps to protecting against ransomware and other forms of malware and bad actors.

Step 1: Ensure All Systems are Up to Date and Properly Patched

It is absolutely essential to make sure that all of your operating systems (for backend servers, desktops, laptops, cell phones, and other devices) are current and fully patched, as are all of your applications and related utilities—including things as innocuous seeming as printers, monitors, and any other devices that connect in any way to your network, including the full realm of the Internet of Things (IoT).  Software vulnerabilities are discovered with distressing regularity. Once discovered, there is a race for software vendors to create software security patches before the vulnerabilities can be exploited. Unfortunately, applying the patches often requires user intervention. This means that unless you have a full-time IT staff monitoring 24×7 for system upgrades and security patches, you should look into managed IT security providers who can do that work for you.

Step 2: Restrict Remote Access

Paying close attention to securing remote access is especially important today, during the Covid-19 pandemic, as more people are currently working on computers from home than at any other point in history. Hackers and other bad actors are taking advantage of this—assuming (and often correctly so) that security gaps have opened during the rush to get everyone connected from home to an organization’s backend systems. Some basic steps include:

• Use Virtual Private Network (VPN) for remote access. A VPN enables users to create a secure connection between home devices and network resources. A VPN is especially important when using Wi-Fi connections.
• Disable all access to and use of remote access programs such as LogMeIn, TeamViewer, and AnyDesk—unless they have been specifically and securely setup for targeted use. This isn’t to say that any of the above are insecure when properly configured, it is just that all such access points should be turned off by default, and only used on a permitted basis with secure configuration and use assured. The reason for caution is that such applications enable remote control and desktop sharing. These are powerful tools, that are often used by Help Desk teams to remotely resolve issues for users. But that same remote access can be exploited by hackers and other bad actors.
• Restrict what remote users can access for both ports and devices. Remote users should be granted least-privilege access, which is to say they should only be able to access the resources (data, applications, ports and devices) required for their work. This can be applied through user authentication, directory policies, and other measures. The key is that if a hacker breaks into a user’s account, you need to limit what they can do with that access.

Step 3: Implement a Robust Backup & Disaster Recovery System

The best way to escape a ransomware attack is to have all of your data—as well as your applications—securely backed up to multiple locations. The attacker may still threaten to post all of your data online, but the key element of their threat disappears. You don’t need to pay them to restore your data, because you can do that on your own—from your robust, and well-tested, backup and disaster recovery system. But it isn’t enough to just back up your data. There are sad stories of backups being stored on the same network that was broken into—meaning that the backups were also encrypted. There should be multiple backups, at multiple locations—including cloud-based resources, that can’t be touched by a ransomware attack. Backups should include a complete image of your infrastructure, to include all of your applications—including their current status in regards to system upgrades and security patches. If you don’t have in-house security personnel, I suggest working with a security consultant who can help you craft a backup and disaster recovery plan that can withstand attacks.

Step 4: Enforce Strong Password Policies

Someday we will move beyond passwords, to stronger forms of identity authentication, but until that day comes, it is essential that organizations enforce strong password policies. Strong password policies require:

• Cannot reuse the last 12 passwords
• User’s must change password every 60-90 days
• Minimum password length of 10 Characters
• Accounts will be locked for 5-miuntes if their password is entered incorrectly 5-times in a row
• Complex passwords require:
  • Cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
  • Must contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Numbers (0 through 9)
  • Non-alphabetic characters
  • `   ~   !   @   #   $   %   ^   &  * 
  • (   )  _   +   –   =   {   }   |   \ 
  • :   ”   ;   ‘   <   >   ?   ,   .   /

Step 5: Encrypt Your Data in Motion and At Rest

Ideally encryption is used throughout your organization—or at least for sensitive data. The Wall Street Journal ran an article “Why Don’t Companies Just Encrypt All Their Data? It Isn’t So Simple” which looked at the security boost encryption provides, while also looking at the potential downside, such as slower processing time as data needs to be unencrypted before it is used. I feel that encryption should at least be used as part of an organization’s backup and disaster recovery plans. Data should be encrypted before it is transmitted to each backup resource and remain encrypted until needed. That way, if it is intercepted en route, or hacked into while in storage, there is nothing for the hacker to steal. It’s important to note, however, that encrypting your own data doesn’t protect you from a ransomware attack re-encrypting your data, so it is no longer usable.

Step 6: Educate All Employees on Social Engineering Attacks (aka Don’t click that link)

This is the obvious one, but user error remains the foundation of the social engineering behind ransomware attacks. All it takes is one user clicking on an e-mail link or on a phony pop-up screen telling them they have been attacked by a virus and instructing them to click a button to undo it . . . or instructing them to click to update software, or for a spectrum of other reasons. Phishing, and the more finely tuned spear phishing, attacks can also come via text messages, or through phone calls. Someone on the phone, for instance, could claim to be from the organization’s IT group, and claim then need to be given remote access to the user’s device to correct a problem. So, education about phishing basics, as well as the latest phishing implementations, is an ongoing need.

Step 7: Find a Business Partner for Your IT Security Needs

As mentioned earlier, unless you have a world-class IT security team monitoring your resources 24×7 to detect attacks, respond to new security releases, and to ensure all systems are up to date—and backed up—you would do well to get help. Today’s IT Managed Service Providers must be proactive in their ability to assess and prevent new threats.  An innovative and systematic approach to security is necessary. Very few IT companies can meet those requirements, so make sure you choose a partner with a long track record for implementing IT security and backup systems.

Clinton Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Director for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce, and the Orlando Economic Partnership.