Following these 40 safeguards from the Institute for Security and Technology will help protect SMBs from ransomware and other malware attacks
The Institute for Security and Technology (IST) recently released a “Blueprint for Ransomware Defense.” The guide includes recommendations of defensive actions for small- and medium-sized businesses (SMBs) to protect against and respond to ransomware and other common cyberattacks. It focuses on the identify, protect, respond, and recover format that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. IST’s guidelines do not include one item from the NIST framework: the detect function. The authors recommends that SMBs should work with a cybersecurity services provider for that function.
The recommendations are built around safeguards, including 14 foundational and 26 actionable safeguards.
IST recommends the following foundational safeguards to help identify what on your network needs protecting:
SMBs may need more guidance to understand the risk that comes with their computers and software. Many use older technology because it’s needed for critical line-of-business applications. It’s not enough to inventory my assets; I need to evaluate the risks that I have because I am still using older assets and older software.
The actionable safeguard is to ensure that authorized software is supported.
The next recommendations cover how to protect those assets:
Workstations in SMBs use insecure passwords or don’t provide proper protection for both local access and remote access. Attackers often get in via remote desktop access or by cracking local administrator passwords that are the same across the network. Worse yet is when users don’t use appropriate access to the network. SMBs are often set up with domain administrator rights. Review how you have deployed passwords and regardless of whether you have a traditional domain and workstation setup or cloud and web applications, review your options for multi-factor authentication (MFA).[ REGISTER NOW for CIO 100: Symposium & Awards Conference, August 15-17 ]
Next, review how you manage and patch your computing resources. It’s not enough to rely on Windows Update to manage the updates on your computer systems. Review your options for maintaining and deploying updates.
Training your employees to not click is one of the best things you can do to protect your network. No matter what protections you put in place, the best defense is an educated end user that doesn’t click and asks if the item is legitimate. Even if you don’t have a formal phishing training program, make sure users are aware of the normal scams and attacks.
As the whitepaper notes:
“While ransomware has a variety of initial infection vectors, three vectors constitute the bulk of intrusion attempts: use of the Remote Desktop Protocol (RDP) – a protocol used to remotely manage Windows devices, phishing (typically malicious emails that appear to come from reputable sources but aim to steal credentials or sensitive information), and exploitation of software vulnerabilities. Hardening assets, software, and network devices defends against these top attack vectors and closes security gaps that may linger from insecure default configurations. Failure to disable/remove default accounts, change default passwords, and/or alter other vulnerable settings increases the risk of exploitation by an adversary. Safeguards in this section call for SMEs to implement and manage a firewall on servers and manage default accounts on enterprise networks and systems.”
The recommended actionable safeguards are:
SMBs too often overlook the next set of recommendations regarding incident response:
Firms often want their systems back to functional levels as soon as possible after a security event, so it’s uncertain whether some SMBs will establish a process to report incidents. I also have doubts that the typical SMB has the storage or the resources to truly enable is a log management process. My recommendation would be to investigate a cloud service that accumulates and alerts you to unusual events on a network. Logging alone is not enough if you don’t understand what the logging is trying to tell you. A service that allows you to correlate these events and alert you to potential problems is preferable.
Actionable safeguards for incident response are:
Ransomware can easily be overcome with a very boring process: a backup. The foundational safeguard the framework recommends is to establish and maintain a data recovery process. These are the recommended recovery safeguards:
SMBs might not have thought out or tested their recovery processes. Backups might not work as expected or in the case of ransomware, not tested from the stance that the network will be rebuilt.
The blueprint document includes a link to recommended tools and resources. The tools listing can be daunting to any firm that does not have IT experience, so I’d also recommend using the toolkit to review the tools used by your consultants. Discuss what processes they use and see if they have comparable resources.
Actionable safeguards for recovery are: