Anti-phishing tools can reveal which employees need further one-on-one training. Security logs can show who’s constantly hitting the URL filter or the anti-malware cleaner; those workers also need a personal visit from IT and some extra instruction.
Feds Constantly Protect Data and Employ Network Acess Control
Agencies looking for motivation to modernize should note: Ransomware works best against IT infrastructures designed in the 1990s that haven’t been updated.
Shared drives on Windows file servers, for example, are a huge ransomware target and one that is easy to get rid of. Shifting to a versioning file storage system — SharePoint is an obvious choice — ensures that a ransomware fix is as simple as rolling back to the last version of files untouched by the attacker. Nightly backups are a common data protection strategy, but should be replaced by continuous data protection, tightening the window for data loss from days down to hours or minutes.
Giving users the ability to write to files across workgroups is an efficient way for ransomware to affect an entire organization, and is a sign that access control is not well managed. Access controls should apply to staff at all levels — including executives — to keep them from writing to files all over the agency’s hard drives. It’s complicated, but that’s why there is a thriving marketplace for identity and access management tools.
Local drives are incredibly hard to back up and manage, which makes them a liability. Through a combination of policies, protections and processes, ensure that nothing important sits on a worker’s hard drive for more than a few hours. If necessary, wipe the working directories every night and make it clear there are no exceptions to the rule.
Email Security Gateways Can Guard Against Ransomware
Ransomware is usually delivered via email, either as a direct payload or one that encourages users to click on a link, so protecting incoming email is a key strategy. Agencies should revisit their email security gateways (ESGs), turn up protections and rethink settings, even if the ESG is part of a cloud-based service.
Many ESGs offer “URL armoring,” which replaces URLs in messages with pointers to a proxy server elsewhere, run either by the agency or by the ESG vendor. This opens a window between email delivery and the click that either allows the agency to detect the ransomware or forces the download to be scanned in the cloud, protecting computers where the anti-malware is out of date or disabled.
It’s also time to change attachment filtering strategy from a blacklist to a whitelist. Finding every way that junk can enter a network is impossible, but creating a short list of the file types that employees need for work is doable, and can be the start of a whitelist.