Balancing Security and Accessibility
I work as a programmer for a Systems Integrator for municipal water and wastewater organizations in the midwest. Lately, we have been faced with multiple instances of ransomware infecting our client computers that are exposed to the internet. The majority of our client computers operate within closed networks that are not accessible to the outside internet, but some of our smaller customers rely on us for day to day support. We have been using TeamViewer for this for the last two years. My question is, since these computers are exposed to the internet, what security measures can we take to allow us to connect to the client remotely while securing them against malware, ransomware, etc. Note: We do not have a dedicated security engineer.
What John said, "Ransomware comes via emails."
To protect against Ransomware requires a few simple policies...
1) Make nightly backups.
2) Train people to avoid opening Ransomeware payloads in emails.
3) Block suspicious attachments, using a hardcore spam filter (John said this too).
If people continually click on links + install Malware/Ransomware on their computers, the only fix is a full restore of a backup.
To protect against Ransomware requires a few simple policies...
1) Make nightly backups.
2) Train people to avoid opening Ransomeware payloads in emails.
3) Block suspicious attachments, using a hardcore spam filter (John said this too).
If people continually click on links + install Malware/Ransomware on their computers, the only fix is a full restore of a backup.
Hi there! :)
In addition to what @John and @David Favor have mentioned, I will provide a brief overview of a few standards any business can and should follow to prevent the maximum potential damage posed by such foreign objects.
1. Store multiple copies of the latest backed up files and folders on external hard drives.
2. Inform employees not to provide personal information to any unidentified email or call based on your organization's business and transaction history. The perpetrators are discerning enough to only send such things to vulnerable users and systems. Subsequently, you will need to block suspicious downloads and unidentified devices trying to access your network.
3. On a basic level, you will need to use a reputable antivirus software and a firewall. It’s important to use antivirus software from a "real" and "legal" company because of all the fake software downloads everywhere. You might even want to block certain sites based on privacy standards etc.
3. Inbound e-mails should be scanned to block and safely delete dangerous attachments and some antiviruses do offer such a feature.
4. Ensure the operating system and all software are updated as soon as possible when they are relevant patches.
In addition to what @John and @David Favor have mentioned, I will provide a brief overview of a few standards any business can and should follow to prevent the maximum potential damage posed by such foreign objects.
1. Store multiple copies of the latest backed up files and folders on external hard drives.
2. Inform employees not to provide personal information to any unidentified email or call based on your organization's business and transaction history. The perpetrators are discerning enough to only send such things to vulnerable users and systems. Subsequently, you will need to block suspicious downloads and unidentified devices trying to access your network.
3. On a basic level, you will need to use a reputable antivirus software and a firewall. It’s important to use antivirus software from a "real" and "legal" company because of all the fake software downloads everywhere. You might even want to block certain sites based on privacy standards etc.
3. Inbound e-mails should be scanned to block and safely delete dangerous attachments and some antiviruses do offer such a feature.
4. Ensure the operating system and all software are updated as soon as possible when they are relevant patches.
Businesses and individuals will likely continue to fall victim to ransomware because they either fail to exercise good habits of Internet use or because their ANTI-X solutions are out of date or ineffective.
Beware the most significant challenge organizations face is adequately training staff to the new techniques and methods hackers use to exploit people and technology. If people are not aware of a situation or scenario, it's impossible to defend against it. It is essential to building a foundation of awareness, but also to acknowledge that training. Learning best practices and good cybersecurity is critical, but it must be continuous to identify new types of techniques, attacks, and social engineering attempts. The entire organization must move together in a deliberate step to improve its security posture. Without appropriately trained and skilled staff the technology and processes they are involved in become ineffective.
Make sure:
You have policy, procedures and process in place.
You have an organized training and awareness program for your employees.
You have written plans for business continuity and IT disaster recovery.
Your plan is updated regularly to keep it current with hardware, software, business and staffing changes.
Your plan is tested and how often is the plan tested? Annually Semi-annually
You test your plan using a worst-case scenario.
You have a recovery strategy? Hot Warm Cold offline sites
You test your offline back-up media.
https://www.experts-exchange.com/articles/33451/Building-a-Robust-Security-Awareness-Program.html
https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
https://www.experts-exchange.com/questions/29105848/Backup-Security-post-Ransomware-Incident.html?anchorAnswerId=42602937#a42602937
https://www.experts-exchange.com/questions/29135440/Formulating-a-policy-on-how-to-best-protect-against-ransomware-attacks.html?anchorAnswerId=42795371#a42795371
Beware the most significant challenge organizations face is adequately training staff to the new techniques and methods hackers use to exploit people and technology. If people are not aware of a situation or scenario, it's impossible to defend against it. It is essential to building a foundation of awareness, but also to acknowledge that training. Learning best practices and good cybersecurity is critical, but it must be continuous to identify new types of techniques, attacks, and social engineering attempts. The entire organization must move together in a deliberate step to improve its security posture. Without appropriately trained and skilled staff the technology and processes they are involved in become ineffective.
Make sure:
You have policy, procedures and process in place.
You have an organized training and awareness program for your employees.
You have written plans for business continuity and IT disaster recovery.
Your plan is updated regularly to keep it current with hardware, software, business and staffing changes.
Your plan is tested and how often is the plan tested? Annually Semi-annually
You test your plan using a worst-case scenario.
You have a recovery strategy? Hot Warm Cold offline sites
You test your offline back-up media.
https://www.experts-exchange.com/articles/33451/Building-a-Robust-Security-Awareness-Program.html
https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
https://www.experts-exchange.com/questions/29105848/Backup-Security-post-Ransomware-Incident.html?anchorAnswerId=42602937#a42602937
https://www.experts-exchange.com/questions/29135440/Formulating-a-policy-on-how-to-best-protect-against-ransomware-attacks.html?anchorAnswerId=42795371#a42795371
Email is but one way that ransomware spreads and you can only control your corporate spam filter policy, not any private mails or media that a employee might introduce into the environment.
Best prevention to Ransomware is only allowing whitelisted application access to sensitive paths, such as My Documents, and version controlled/air capped backup. Never pay the ransom because you have no guarantee that you will actually get the decryption key and the funds are almost always used for organized crime.
If I encrypt a file, for security or malicious intent and I use proper encryption the following is true
Here are some articles related to security hardening that you might find useful
Get rid of over-privileged users, such as ones in DA
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
Implement a delegation model
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
Securely manage local admin passwords, and administrator members
https://www.experts-exchange.com/articles/31583/Active-Directory-Securely-Set-Local-Account-Passwords.html
https://www.experts-exchange.com/articles/30617/How-to-manage-local-account-passwords-from-Active-Directory-without-LAPS.html
https://www.experts-exchange.com/articles/29652/Strategy-to-centrally-manage-Local-Administrators-group-from-Active-Directory.html
Get rid of old accounts that might be used maliciously
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
Implement tier-isolation to prevent tier jumps from lateral movement
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create intelligence password policies
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
Utilize host-based firewalls, Windows or otherwise
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
Do AD password audits
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create your file server structure using the least privilege principle
https://www.experts-exchange.com/articles/32349/FSMainFolder-Files-Server-Structure-Automation-Tool.html
and implement a security framework such as CIS
https://www.cisecurity.org/
Best prevention to Ransomware is only allowing whitelisted application access to sensitive paths, such as My Documents, and version controlled/air capped backup. Never pay the ransom because you have no guarantee that you will actually get the decryption key and the funds are almost always used for organized crime.
If I encrypt a file, for security or malicious intent and I use proper encryption the following is true
Breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key. Fifty supercomputers that could check a billion billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.https://en.wikipedia.org/wiki/Brute-force_attack
Here are some articles related to security hardening that you might find useful
Get rid of over-privileged users, such as ones in DA
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html
Implement a delegation model
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
Securely manage local admin passwords, and administrator members
https://www.experts-exchange.com/articles/31583/Active-Directory-Securely-Set-Local-Account-Passwords.html
https://www.experts-exchange.com/articles/30617/How-to-manage-local-account-passwords-from-Active-Directory-without-LAPS.html
https://www.experts-exchange.com/articles/29652/Strategy-to-centrally-manage-Local-Administrators-group-from-Active-Directory.html
Get rid of old accounts that might be used maliciously
https://www.experts-exchange.com/articles/30820/Active-Directory-Cleanup-Tool-ADCleanup.html
Implement tier-isolation to prevent tier jumps from lateral movement
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create intelligence password policies
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html
Utilize host-based firewalls, Windows or otherwise
https://www.experts-exchange.com/articles/31687/Windows-Firewall-as-Code.html
Do AD password audits
https://www.experts-exchange.com/articles/29515/Active-Directory-Simple-Tier-Isolation.html
Create your file server structure using the least privilege principle
https://www.experts-exchange.com/articles/32349/FSMainFolder-Files-Server-Structure-Automation-Tool.html
and implement a security framework such as CIS
https://www.cisecurity.org/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Keep online and offline backup, get 3-2-1 backups going.
User Education. Very important.
Say No to links and Urls.
Use tool like; Varonis / LepideAuditor to spot the symptoms of a ransomware attack.
Multi-factor auth for all remote access and also locally on servers - Multi-Factor Authentication (2FA) and why you should care
Lock down file server permissions to only groups that require access.
Simple things you can do to protect against ransomware attacks:
https://heimdalsecurity.com/blog/what-is-ransomware-protection/
https://www.infosecuritynorthamerica.com/__novadocuments/367633
https://expert-advice.org/security/ways-to-protect-yourself-from-ransomware-attack/
User Education. Very important.
Say No to links and Urls.
Use tool like; Varonis / LepideAuditor to spot the symptoms of a ransomware attack.
Multi-factor auth for all remote access and also locally on servers - Multi-Factor Authentication (2FA) and why you should care
Lock down file server permissions to only groups that require access.
Simple things you can do to protect against ransomware attacks:
https://heimdalsecurity.com/blog/what-is-ransomware-protection/
https://www.infosecuritynorthamerica.com/__novadocuments/367633
https://expert-advice.org/security/ways-to-protect-yourself-from-ransomware-attack/
ASKER
Thank you very much for the wisdom. I am going to be writing a proposal for my organization and I will be utilizing all of your suggestions.
The best defense is a top grade spam filter.
Then employee training: Do not open emails from strangers. Do not click on enticing links. Do not visit dodgy websites.
Finally, have a nightly backup routine that captures all of the prior day's work.