5. What to do about it: 4 essentials
Yes, ransomware is a widespread problem. But that doesn’t mean you should throw up your hands and accept defeat. Rather, there’s a range of strategies for minimizing risk, even though – as with most security issues – you can eliminate it altogether.
“Several techniques can help minimize the impact of a ransomware attack,” Wilson says.
Robust technical tools and educational programs for minimizing and mitigating phishing attacks are one. Let’s run through several other overlapping strategies that feed off one another as part of a holistic approach to minimizing ransomware risks.
Adopt zero-trust principles and policies
“Organizations need to adopt zero trust security approaches that don’t depend on authenticated users always following safe practices,” Haff says.
Zero trust and the principle of least privilege can go a long way to minimizing threat surfaces and limiting the impacts of a breach. In general, the principles here can be summed up as: “Don’t leave things open or on that don’t need to be” and “Don’t grant permissions to people who don’t need them.”
“[Necessary strategies] include limiting administrative permissions on end-user systems, having unique local admin credentials for each of your end-user systems, and limiting connectivity between end-user systems, to name a few,” Wilson says.
“Zero trust” reflects the need to limit or remove anything that isn’t necessary for a person or machine to do its job. A sysadmin probably needs PowerShell; a financial analyst, not so much.
Removing PowerShell from machines where it’s unnecessary is another good example of basic security hygiene that will minimize ransomware risks, de Metz says.
And yes, you should use MFA and other technologies in this realm.
“Adopt user-centric security tools that incorporate contextual layers of authentication such as SSO and MFA, and tools that provide visibility and access control,” Bareket advises.
Get serious about network segmentation
Preparation is crucial; complete prevention is virtually impossible. As a result, it’s important to limit an attacker’s ability to move deep and wide within your organization if they do find a weak spot.
“Network segmentation is key in preventing attackers from moving laterally through the network and encrypting more data,” Bareket says.
This requires thorough visibility and understanding of your environments and how they connect and intersect. In some cases, the “air gapping” approach may be required.
“Organizations also need to make sure that all critical networks and supporting systems are segmented from the rest of their networks to the greatest extent possible. This may mean a complete air gap,” de Metz says. If it’s necessary to have critical systems and supporting systems connected to the main network with internet connection, all traffic in and out should be highly filtered to prevent ransomware from getting in.
Implement a modern framework for security
Modern security risks require modern security strategies. There’s a lot of help on this front, especially when it comes to identifying threats and bolstering your prevention and response capabilities.
“The NIST framework, which includes five functions (Identify, Protect, Detect, Respond, and Recover), is designed to help organizations establish a successful cybersecurity program and effectively prevent cyberattacks,” Bareket says.
MITRE ATT&CK is an increasingly popular and readily available knowledge base of real-world tactics and threats, designed to help game plan and practice prevention and response to actual adversaries.
“It includes ransomware-specific techniques under a category called ‘Impact,’” Bareket explains. “The information it provides allows security teams to see how they might be attacked, reflect on their abilities to detect and stop such techniques, and plan for optimal protection.”
[ Read also: 5 DevSecOps open source tools to know. ]
Don't get stuck without backups and logs
Organizations pay ransomware demands for a variety of reasons, but one of them is deceptively simple: They feel like they don’t have a choice.
When it comes to effective incident response, reliable and accessible backups are must-haves.
Logging goes hand-in-hand with incident response, as does doing practice runs of how you’ll respond in a ransomware scenario.
“Having good logs about who/what/when something happened can make triaging an incident easier,” Wilson says. “Understanding what systems are critical to your business functioning, ensuring they are properly backed up, and being able to test the recovery of such a system is key. Having good backups (or cloud storage) and knowing that they work effectively is part of a proper layered defense strategy and will go a long way to expediting recovery from a ransomware situation.”
[ How do containers and Kubernetes help manage risk? Read also: A layered approach to container and Kubernetes security. ]
What to read next
Subscribe to our weekly newsletter.
Keep up with the latest advice and insights from CIOs and IT leaders.