Best practices for stopping the threat of ransomware
Ransomware has become a household name now, even my four-year old has heard the term (it was even in an episode of a popular cartoon she watches). Sadly, the reason everyone has heard of ransomware is because the problem is so widespread and pervasive.
There are plenty of reports that show the rising threat and unknown, unpatched vulnerabilities are making the ransomware maker’s job a lot easier. Most of the ransomware that is seen in the wild relies on vulnerabilities for which a patch or update that remediates the issue exists. There will always be the next 0-day vulnerability that gets baked into a new version of ransomware and it will cause havoc, but the average everyday attacks we see are almost always successful because of missing patches.
Patching is not the only way to protect against malware. There is no shortage of technical solutions that can help, but all the tools in the world will never measure up to the improvements that a good inventory and patching program will make. With that in mind, I am going to focus on how organizations can get a better handle on the situation before the next malware attack affects your network.
Can’t Patch What You Can’t Find
I have said a thousand times to a thousand different people working in IT and InfoSec that there is no way they can expect to patch all their systems when they don’t even know what all the systems are. I have only found one or two enterprise sized organizations that do basic asset inventories well.
In the vast majority of the cases they know about all the desktops, laptops, network equipment, and servers. But, I can tell you definitively that those are not the only endpoints on the modern network, even a home network has printers, TVs, digital, assistants, IoT, etc. If you take a look at your inventory list and don’t see devices outside those “traditional” assets, then you already know you’re missing something.
Smaller organizations seem to have it easier in that they have fewer systems overall to keep track of, but they also have a commensurate amount of staff to handle it. So, that means we are all looking for ways to do this better, smarter, faster and more effectively. A good place to start is to first get a count of any networked device that will respond.
This can be done with a simple NMAP (A free open source network scanning tool that anyone in IS should understand well) ping sweep. This won’t tell you where everything is, and it will give you multiple replies from devices with multiple network cards, but it’s a good place to start.
When you finish this and compare it to the current asset inventory and see “extra” replies, then you know you have to start looking. Beyond this, it is just a slow and steady process. Best practices will work if you actually enforce them. In short, the first step to protect against ransomware is to get a better handle on what is there.
The Fun Part: Patching
If you did the above correctly patching becomes significantly easier. Then, there are all the systems that you can’t patch for one reason or another. I have heard every reason in the book, and several that were just plain crazy, as to why an outdated and vulnerable machine (like a Windows XP system) should be left on the network.
This is unavoidable. There will be some old systems and there will be some systems you just can’t trust (printers and IoT, I am looking at you) that should not be on the Internet at all and should never be on the same VLAN as sensitive systems or data. If you have a handle on the network and know what is there, patching can be done quickly and even outsourced.
While patching is generally a pain, it is really the systems we miss that are most likely to allow a ransomware attack to be successful. So, we all have to make a choice -- we can accept the risk of the vulnerable and unknown systems, or we can work to get them under control. I often tell people concerned with the enormity of the problems we face that if we don’t start now it will just get worse.
So, if you want to not be woken up by the alert that ransomware has broken out in your organization, it is crucial that you start to understand what is truly on your network and the risk that those devices are putting your sensitive systems in. We spend a lot of time and money making sure the crown jewels are sealed behind a giant steel door but are letting whoever wants to drill holes in the walls around it.
No one wants to get hit with ransomware, but almost as many don’t want to take the time to properly inventory and patch their systems. The choice is yours.