Feature by Mr. J. Tate, Chief intelligence Officer, bits&digits, on Peerlyst.com, published June 2017.
I replied recently to a Peerlyst user’s post about some of the best technologies to prevent Ransomeware or Malware infection. I felt the response was worthy of posting a STICK TO THE BASICS note here.
Last night, I was presented with a question by an information security group here in South Carolina. And, I found myself learning more than teaching while giving my response regarding Malware prevention.
Ransomeware protection is not something any business owner or IT Sec professional can “BUY.” This has remained a problem in the industry for sometime. The assumption’s been falsely advertised in this Cyber Security Company world that there can be a “Press and Forget” mentality.
The first steps to protecting your organization from Ransomware or other serious infections is simple (in theory).
STICK to the BASICS
1. Ensure that you practice patch management CORRECTLY. Before anyone here says “DUH” let me explain what Correctly means. If you dare, try this one simple drill, Ask:
- Your Patch Manager for an output of ALL of the machines within the inventory of the Patch Management Solution your company is using.
- The Configuration Management team for a spreadsheet of their Inventory List.
- Your Best System Administrator for a list of all of the computers within their system administration tool database.
- The IT Procurement department for a list of ALL of Inventoried machines across the ENTIRE landscape of your organization. (Include Remote Offices and Satellite Locations.)
Take the above 4 lists. If you have a 0% discrepancies in this drill, I ask that you call me and tell me who you work for. Because, I’ll need to inform the world; you are the first. Usually, there is a discrepancy in Coverage. Most in the DoD, or HealthCare space, noticed this problem trying to deploy DAR for mobile devices. (Data At Rest -Whole Disk Encryption.) Again, it’s not the 98% that’s protected that gets you hit; its the 2% that does.
What does your company do with regard to segmentation and network isolation? To contain threats? This is not necessarily a mitigation, but a containment strategy to the topic at hand. But, it also ensures your UTM, AV, or Security Solutions are managed within comfortable zones… Basics, remember?
We all know the number one vector of intrusion for these nasty bugs comes via web browsing and email. Because the Info-Sec community spent so much time organizing a chart of files and attachment types used for payload droppers, why recreate the wheel or spend more time with getting a new Next Generation device? And, why when you can start working on Mail containers for attachments?
#KnowThySelf – Know Thy Organization
If your AV or Mail Engineers know by interview or due process, for example, anyone in HR should have no reason for accepting .CPL files, then why isn’t there a block set in place for such attachments in that department? Using the same train of thought, why would ANYONE need to receive a /CPL file (not even a System Admin needs this sent via email).
Again, we can go deeper down the rabbit hole. Perhaps, I’ll write a more verbose mitigation strategy report for ransomeware prevention. It’ll explain why the basics are most important. Most of the post-breach clients of bits&digits came exploited by some “exception” someone up the chain of command wanted to make their lives easier. Check those diligently.