Following these 40 safeguards from the Institute for Security and Technology will help protect SMBs from ransomware and other malware attacks
The Institute for Security and Technology (IST) recently released a “Blueprint for Ransomware Defense.” The guide includes recommendations of defensive actions for small- and medium-sized businesses (SMBs) to protect against and respond to ransomware and other common cyberattacks. It focuses on the identify, protect, respond, and recover format that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. IST’s guidelines do not include one item from the NIST framework: the detect function. The authors recommends that SMBs should work with a cybersecurity services provider for that function.
The recommendations are built around safeguards, including 14 foundational and 26 actionable safeguards.
Safeguards to identify what’s on your network
IST recommends the following foundational safeguards to help identify what on your network needs protecting:
- Establish and maintain a detailed enterprise asset inventory.
- Establish and maintain a software inventory.
- Establish and maintain a data management process.
- Establish and maintain an inventory of accounts.
SMBs may need more guidance to understand the risk that comes with their computers and software. Many use older technology because it’s needed for critical line-of-business applications. It’s not enough to inventory my assets; I need to evaluate the risks that I have because I am still using older assets and older software.
The actionable safeguard is to ensure that authorized software is supported.
Safeguards to protect network infrastructure
The next recommendations cover how to protect those assets:
- Establish and maintain a secure configuration process.
- Establish and maintain a secure configuration process for network infrastructure.
- Establish an access granting process.
- Establish an access revoking process.
- Establish and maintain a vulnerability management process.
- Establish and maintain a remediation process.
- Establish and maintain a security awareness program.
Workstations in SMBs use insecure passwords or don’t provide proper protection for both local access and remote access. Attackers often get in via remote desktop access or by cracking local administrator passwords that are the same across the network. Worse yet is when users don’t use appropriate access to the network. SMBs are often set up with domain administrator rights. Review how you have deployed passwords and regardless of whether you have a traditional domain and workstation setup or cloud and web applications, review your options for multi-factor authentication (MFA).[ REGISTER NOW for CIO 100: Symposium & Awards Conference, August 15-17 ]
Next, review how you manage and patch your computing resources. It’s not enough to rely on Windows Update to manage the updates on your computer systems. Review your options for maintaining and deploying updates.
Training your employees to not click is one of the best things you can do to protect your network. No matter what protections you put in place, the best defense is an educated end user that doesn’t click and asks if the item is legitimate. Even if you don’t have a formal phishing training program, make sure users are aware of the normal scams and attacks.
As the whitepaper notes:
“While ransomware has a variety of initial infection vectors, three vectors constitute the bulk of intrusion attempts: use of the Remote Desktop Protocol (RDP) – a protocol used to remotely manage Windows devices, phishing (typically malicious emails that appear to come from reputable sources but aim to steal credentials or sensitive information), and exploitation of software vulnerabilities. Hardening assets, software, and network devices defends against these top attack vectors and closes security gaps that may linger from insecure default configurations. Failure to disable/remove default accounts, change default passwords, and/or alter other vulnerable settings increases the risk of exploitation by an adversary. Safeguards in this section call for SMEs to implement and manage a firewall on servers and manage default accounts on enterprise networks and systems.”
The recommended actionable safeguards are:
- Manage default accounts on enterprise assets and software.
- Use unique passwords.
- Disable dormant accounts.
- Restrict administrator privileges to dedicated administrator accounts.
- Require MFA for externally exposed applications.
- Require MFA for remote network access.
- Require MFA for administrative access.
- Perform automated operating system patch management.
- Perform automated application patch management.
- Use only fully supported browsers and email clients.
- Use DNS filtering services.
- Ensure network infrastructure is up to date.
- Deploy and maintain anti-malware software.
- Configure automatic anti-malware signature updates.
- Disable autorun and autoplay for removable media.
- Train workforce members to recognize social engineering attacks.
- Train workforce members on recognizing and reporting security incidents.
Safeguards for incident response
SMBs too often overlook the next set of recommendations regarding incident response:
- Establish and maintain an enterprise process for reporting incidents.
- Establish and maintain an audit log management process.
Firms often want their systems back to functional levels as soon as possible after a security event, so it’s uncertain whether some SMBs will establish a process to report incidents. I also have doubts that the typical SMB has the storage or the resources to truly enable is a log management process. My recommendation would be to investigate a cloud service that accumulates and alerts you to unusual events on a network. Logging alone is not enough if you don’t understand what the logging is trying to tell you. A service that allows you to correlate these events and alert you to potential problems is preferable.
Actionable safeguards for incident response are:
- Designate personnel to manage incident handling.
- Establish and maintain contact information for reporting security incidents.
- Collect audit logs.
- Ensure adequate audit log storage.
Safeguards for recovery after a cyberattack
Ransomware can easily be overcome with a very boring process: a backup. The foundational safeguard the framework recommends is to establish and maintain a data recovery process. These are the recommended recovery safeguards:
- Perform automated backups.
- Protect recovery data.
- Establish and maintain an isolated instance of recovery data.
SMBs might not have thought out or tested their recovery processes. Backups might not work as expected or in the case of ransomware, not tested from the stance that the network will be rebuilt.
The blueprint document includes a link to recommended tools and resources. The tools listing can be daunting to any firm that does not have IT experience, so I’d also recommend using the toolkit to review the tools used by your consultants. Discuss what processes they use and see if they have comparable resources.
Actionable safeguards for recovery are:
- Perform automated backups.
- Protect recovery data.
- Establish and maintain an isolated instance of recovery data.
¡Comparte esta entrada, elige tu plataforma!
Relacionados
“Solo 12% de las empresas que sufrió ataques en el último año implementó medidas preventivas de ciberseguridad”
Las violaciones de datos están en aumento y ninguna organización está a salvo de ciberataques, fugas o manipulaciones de información Por Ricardo Arellano de Cybertrust Latam Las violaciones de datos están en aumento y ninguna organización está a salvo de ciberataques, fugas o manipulaciones de información. Esto se debe, en parte, a la movilidad de
Ransomware Akira: La amenaza que evoluciona en las sombras
No podía pasar por alto mi artículo semanal, y como ya es costumbre, hoy te traigo un análisis detallado sobre uno de los actores de amenazas más notorios en el ámbito de la ciberseguridad: el ransomware Akira. Desde su aparición en marzo de 2023, estos ciberdelincuentes han logrado extorsionar alrededor de 42 millones de dólares
Crecen más de 60% los ataques de ransomware en México
El nuevo informe de Palo Alto Networks, descubrió que los ataques de ransomware se han convertido cada vez más en una forma sofisticada de delito cibernético que puede poner en peligro a grandes empresas, agencias gubernamentales e infraestructuras críticas. El estudio de Unit 42, grupo de investigadores de amenazas, personal de respuesta ante incidentes y consultores de seguridad
2 MANERAS EN QUE TU TARJETA SIM PUEDE SER HACKEADA (Y CÓMO PROTEGERLA)
Probablemente sepas que el sistema operativo de tu smarpthone debes actualizarlo regularmente para protegerlo contra vulnerabilidades de seguridad. Pero tu tarjeta SIM también puede ser una fuente de vulnerabilidades de seguridad. Aquí te mostraré algunas formas en que los hackers pueden usar las tarjetas SIM para obtener acceso a los dispositivos, y consejos sobre cómo puedes
Los usuarios “descuidados” son la primera causa de perdida de datos
Los resultados de un estudio ponen de manifiesto que los empleados despistados o malintencionados son responsables de la gran mayoría de los incidentes relacionados con los datos en las organizaciones. El estudio elaborado por Proofpoint Data Loss Landscape analiza cómo los enfoques actuales de prevención de pérdida de datos (DLP) y amenazas internas están adaptándose a los
Chilango Leaks: hackers de Mexican Mafia ‘desnudan’ al gobierno de CDMX
Piratas informáticos robaron correos de dependencias como el Heroico Cuerpo de Bomberos, Secretaría de Obras y Servicios, Procuraduría Social, entre muchas otras El gobierno de la Ciudad de México fue atacado a través de una vulnerabilidad que desde 2019 se advirtió y que, pese a constantes avisos, no se resguardó de manera adecuada. De esta manera, hackers