Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

12/18/2019
02:00 PM
Shawn Taylor
Shawn Taylor
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

5 Security Resolutions to Prevent a Ransomware Attack in 2020

Proactively consider tools to detect anomalous behavior, automatically remediate, and segment threats from moving across the network.

Over the past two years, ransomware attacks have increased in frequency and severity. In 2019 alone, the attacks have crippled manufacturing businesses, brought hospitals to a halt, and even put lives at risk.

It's no wonder that many organizations are putting ransomware prevention and response planning at the top of their priorities list for 2020. And those that aren't probably should consider what more they can do to better prepare their organizations against these types of attacks.

The time to put measures in place is not after an attack has already taken place. I've worked with many organizations scrambling in the aftermath of a breach, but this can be avoided if you proactively consider tools to detect anomalous behavior, automatically remediate, and segment threats from moving across the network to limit an attack's reach.

Here are five things organizations should consider as part of their security resolutions in 2020:

1. Basic Cybersecurity Hygiene: Improving basic cybersecurity hygiene is the No. 1 defense against any type of attack, including ransomware. This is the cybersecurity version of many people's New Year's resolution to "get healthy." Cybersecurity hygiene can mean a lot of different things, but a good place for companies to start is by making sure they have strong vulnerability management practices in place and that their devices have the latest security patches. They can also make sure they are taking basic security precautions that are often also important for regulatory compliance, like running up-to-date antivirus software or restricting access to systems that can't be made compliant. Ultimately, however, for most organizations, starting with CIS Control 1, Inventory and Control of Hardware Assets, will establish a good foundation upon which to build.

2. Penetration Testing: Companies that already have much of the basic hygiene in place can take the additional step of engaging pen testers to further ensure that anything Internet-facing in their organization is protected. By finding what means or mechanisms attackers could hack or brute-force an attack to gain access to applications or internal systems by bypassing other protections such as firewalls, security leaders can fix those areas before bad actors find them. 

3. Board Discussions: Cybersecurity is increasingly becoming a board of directors-level issue. That's because an attack can have a significant impact on a company's revenue, brand, reputation, and ongoing operations. However, it's worth having a specific board-level conversation about ransomware to ensure they understand the specific risks it could pose to the business, and that there is budget made available to prevent or limit the damage of an attack. That discussion will prove critical if the company wants to implement added protections, such as improved cyber hygiene, or put in place automated reactive technologies to limit the spread of an attack. If the CIO or CISO is not already regularly having these conversations about cybersecurity or ransomware in particular, that's definitely a good place to start for 2020.

4. Tailored Training: There is one vulnerability that has proven effective again and again as an entry point for attack: people. You can buy all the latest and greatest cybersecurity technology, but if you aren't training your employees in basic cybersecurity or how to respond during an attack, then you're leaving yourself vulnerable. Training to prevent ransomware starts by teaching employees to recognize phishing attacks and what to do if they suspect one. This is important because — even though many users have gotten better — phishing remains one of the most effective ways for an attacker to breach an organization. Teaching users to validate URLs or avoid clicking on links or attachments altogether can go a long way toward protecting against all types of attacks. This is a good practice to start or revisit in 2020.

In addition to preventing an attack, security leaders can also think about adding specific training for ransomware response. It's pretty easy for an employee to know when they've been hit with ransomware — their work screen may go away and they may get a pop-up directing you to a URL to pay the ransomware (likely in bitcoin). Training employees in what steps they can take in response or giving them an emergency point of contact on the security team can make them feel more in control in the panic of an attack.  

5. Limit the Scope of an Attack: Ransomware resolutions should include not only preventing an attack but also taking steps to minimize the damage of a successful one. That starts with having tools in place, such as SIEM systems that can identify the behavior patterns and heuristics of an attack and begin to automatically isolate and remediate those systems when indicators are flagged. It also means embracing tools such as network segmentation that can prevent the lateral movement of an attack across the network.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Manage API Security."

Spanning a 20-year career as an accomplished and well-respected Systems Engineer, Shawn Taylor's strong mix of technical acumen, architectural expertise, and passion for operational efficiencies has established him as a trusted adviser to ForeScout's customers since joining ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ernac
50%
50%
ernac,
User Rank: Apprentice
2/3/2020 | 2:42:44 AM
Nice Article
Definitely a curated piece of content. I'm working as a security testing freelancer and have several International clients by God's grace. Side by side I'm also working on a personal report based on security testing services. Your security testing blog is quite detailed so felt like asking for some help. Could you please suggest that whether adhering to the OWASP Top 10 safeguards the digital network architecture of a business ?
seven_stones
50%
50%
seven_stones,
User Rank: Apprentice
1/12/2020 | 2:43:11 PM
VM / detection
Would prefer to see something like "mature vulnerability management processes" instead of penetration testing, especially as local controls on Windows devices, believe it or not, even though vendors would have the world believe otherwise, be very effective indeed. 

You mentioned SIEM in your last point, which is fair enough. I'd probably emphasise detection a lot more, mostly because prevention is far from guaranteed to help. At least the organisation can get a heads up of environmental skullduggery before the payload is active. Unlikely, yes, but good to do anyway for so many reasons. 
seven_stones
50%
50%
seven_stones,
User Rank: Apprentice
1/12/2020 | 2:36:16 PM
Re: Deploy key technologies to close critical vectors
Those aspects you mention are critical for mail servers, for security yes, and the organisation will have trouble sending mail to some domains if these aren't in place - there's even a chance they could end up on a spam black list. Awkward. But for preventing malware malicious email, not so useful. Low level phishers can get blocked but its pitifully easy to subvert, and moreover lots of Phishing comes from compromised accounts.
duetqqip
50%
50%
duetqqip,
User Rank: Apprentice
12/21/2019 | 12:40:24 PM
Re: Deploy key technologies to close critical vectors
nice
smtaylor12
50%
50%
smtaylor12,
User Rank: Author
12/19/2019 | 8:00:46 AM
Re: Deploy key technologies to close critical vectors
First of all, thanks for your comment.

The list wasn't meant to be all-inclusive, I've received other good suggestions via Twitter and LinkedIn. Email protections certainly are definitely a good strategy. I think the bottom line is that there is not one singular tactic, tool or solution to completely protect from ransomware. Education, good endpoint protection/patching strategies, complete visibility of what's on the network (to include the risks of those devices), but that visibility should also be from the outside in, ensuring all protections are made on externally facing devices, systems and applications. While I would agree email is a primary target, some of the highest profile breaches/ransomware attacks weren't initiated by email at all.
sethblank
50%
50%
sethblank,
User Rank: Author
12/18/2019 | 7:05:06 PM
Deploy key technologies to close critical vectors
Thanks for the article, Shawn.

There's one crucial item missing from your list. 90+% of cyberattacks, including ransomware, begin from email. And there are well known technologies, such as SPF, DKIM, and especially DMARC, that prevent these abuses before they ever get in front of a user.

These solutions don't cover every scenario, but they cover the majority of the sources of the threats. We've seen in the real world that when an organization has DMARC in place, attackers simply move on to abuse other organizations instead of moving to more difficult vectors.

If you want to stop ransomware, deploy these open standards and you've reduced your threat surface by more than half. Then apply the rest of your recommendations to continue closing the gap.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
CVE-2020-13439
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
CVE-2020-13440
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.
CVE-2020-13433
PUBLISHED: 2020-05-24
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.