NIS2, Are you on scope?
Belgium's new cybersecurity law enters into force. Check it out now.
All data, applications, systems and networks are valuable information systems for an organisation as they allow it to execute daily operations. The unavailability or inaccessibility of one of those systems due to a cyber-attack could thus have serious consequences on an organisation’s business continuity. This article gives best practices on how to protect from a specific attack in this context: a ransomware.
A ransomware is a specific malware cybercriminals install on an organisation’s device through various possible means, such as downloading a virus or through a phishing attack where the victim clicks on a malicious link or opens an infected attachment. After successfully installing the ransomware, they encrypt information and/or information systems to block all the organisation’s accesses and then demand a certain amount of money to give those accesses back. The organisation thus loses all power over its computers and can’t execute any operations. In addition to making the information unavailable, cybercriminals can also threaten the organisation to make all the data they accessed publicly available. This causes a serious problem, especially for company dealing with sensitive information.
The goal for cybercriminals when launching a ransomware on a device is to gain something in exchange, usually money. In that sense, they will make it obvious that they have taken control and want something in exchange, often by displaying a clear message on the screen of the infected device.
Cybercriminals usually evaluate the efforts it will take them to be able to install the ransomware against the benefits they can earn. It is thus important to ensure that the defence in place makes it as hard as possible for them to get access to the organisation’s environment. There are several controls that can be implemented:
Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.
Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices allowed to connect to the organisation’s network with an antivirus software upfront.
In addition, a firewall should be used to monitor and filter the access requests to the corporate network based on predefined security rules. The firewall acts as a wall between the corporate network and an untrusted network (e.g., home network, Internet). It will allow the organisation to limit external access only to authorised people.
An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.
Pirated applications and software are usually infected with malware so only look for installation and download of official ones, through vendors’ official platforms and websites.
Limit the number of administrator or privileged accounts to the bare minimum. No one should have administrator privileges for day-to-day tasks. Giving the privileges that admin accounts have, it will make it easier for cybercriminals to take over the device or install a ransomware.
Backup all systems, applications, servers and data to make sure that even if an incident occurs, all important information can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.
A collaborator looking for a specific software and with little to no knowledge about cybersecurity is less likely to second guess the offers found on the internet. It is thus important to make sure that all downloaded software is approved by the IT Responsible from a security and performance point of view. In addition, the IT Responsible can establish a whitelisting: a list of software that collaborators are allowed to install on their corporate devices.
It is very common for cyber criminals to use an existing account to get access to an organisation’s resources. The access control management should be well established and implemented within an organisation. The basic principles of least privilege and need-to-know must be applied: a user should only get the accesses they require to perform their job, nothing additional. They should always get the minimum required, not extra accesses ‘just in case’.
In addition, a user access provisioning process should be established. This process defines the procedure to remove or change the access granted to an employee when they switch position or leave the organisation. An insider attack can indeed always happen, no matter how loyal former collaborators were at a certain point of time. Their feelings towards the organisation might change if they didn’t leave willingly.
Only use removable media approved by the IT Responsible to make sure it is not infected and it won’t cause any damage to your device.
Paying the ransom is not recommended as it does not guarantee to solve the ongoing problem. In addition, it makes ransomware profitable which can convince cybercriminals to keep on pursuing this malicious activity.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.