HOW TO PROTECT AGAINST RANSOMWARE
According to today's (Sunday May 14, 2017) statistics, over 200,000 businesses in over 200 countries have been hit by the most recent ransomware. This malware was able to take advantage of a vulnerability in the Windows operating system–at least those that had not updated in the past month.
But more attacks are coming. The question is: How do I and my business protect our systems agains ransomware (and other malware) attacks?
There is an endless race between cyber criminals and cyber security experts. The criminals look for zero-day exploits (system or application vulnerabilities that have not yet been discovered and resolved by either the security experts or the product developers), and the security experts and product developers are trying to patch security vulnerabilities before the criminals find them.
In this particular case, the vulnerability had been patched by Microsoft over a month ago. If a computer system is kept up to date, the vulnerability has been fixed, and the ransomware will have no effect on the computer.
- This gives us the first thing that must be done to maintain security–keep all systems and applications up to date. US-CERT (the good folks responsible for developing best practices to help keep our systems secure) now recommends updating systems and applications as soon as possible. Now, that isn't as concrete as I would have put it, but it works.
- Always log in with a non-administrator account. In many cases, malware is able to assume the power of the logged-in user. If the user logs in with an administrative account, the malware has administrative privileges–like being able to modify the operating system.
- Restrict knowledge of administrative passwords to only those with the knowledge and skills to properly use them. Within a business environment, this means only IT department and some leadership personnel know the administrator passwords. This helps to prevent users from logging in as an administrator, as well as preventing otherwise well-intentioned users from inflicting unintentional damage by authorizing the installation of malicious software.
- Designate only one person or one team to support the IT infrastructure. Yes, even with computer systems, too many chefs spoil the broth. Different experts have different support strategies. Each may work well by itself, but conflict with others. Choose a qualified person or team to provide your routine maintenance, repair, and needs assessments.
- All data is stored on encrypted devices. This includes not only the boot device, but secondary, external, and backup devices. This helps prevent data from being accessed by unauthorized persons.
- Maintain at least one on-site and one off-site backups. If a computer becomes infected, the infection will attack any attached backup device. Keeping a backup off-site helps to ensure it is healthy.
- Use only strong passwords. The definition of strong password is a hotly debated topic. Currently, US-CERT specifies a minimum of 15 characters. It is also recommended to have at least one each of lower case, upper case, numeric, and special characters.
- Use unique passwords. Should a criminal gain access to your Facebook password, and it happens to be the same used with your bank account, there is a much better chance the criminal will be driving a new Tesla next week than you.
- All IT equipment must pass a security audit before accessing your network or other IT equipment. This includes phones, USB thumb drives, tablets, and anything else that can connect to your Wi-Fi or Ethernet network.
- All non-business IT equipment must be on a separate network. If your business allows guests to access a Wi-Fi network, set up a separate guest network. The same is true for staff who use their personal phones or equipment. As you have no control over the integrity of these systems, they cannot be allowed on the company network. But a guest network keeps the two separated.