Given the recent rash of publicity around high-visibility ransomware attacks, it was inevitable that the spam-o-matic would kick in to high gear with just about every manufacturer and security partner out there wanting to offer up heavily funded solutions to address the risk.
At eGroup, we believe there is value in sharing for the common good, especially when it comes to information security. And one thing we know is that you neither have to be a certified expert – nor invest in a heavy-duty solution – to exercise some tried and true street smarts.
Here are 7 “quick and dirty” rules of the road, most of which are free, and all of which we come across in various states of disarray when engaging with clients across all verticals, segments, and sizes. If you feel as if you’ve missed some of these, not to worry, you’re not alone, but you should get moving on them pretty quick – and eGroup is always here to assist:
Common Sense Item #1: Better Spam Protection
Email is still the primary attack vector, where users receive emails with suspicious attachments or links, unknowingly execute these items, and then *bam* bad day ensues. If you aren’t using anything for spam protection, get something now! On the other hand, if you are using something standalone and on-premise, please consider something with cloud awareness to build in the layers of separation and constant updating needed to stay ahead.
At eGroup, we’ve assisted hundreds, if not thousands, of organizations with upgrading, migrating, and maintaining on-premise and cloud-based Exchange and Office 365 solutions. For diehard on-premise fans, we typically recommend Trend Micro IMSVA with their cloud pre-filter technology, and for Office 365, there is little better than Exchange Online Protection. Start your free trial of Microsoft Office 365 with us today!
Phishing emails have also become a major concern – and are one of the leading attach vectors into Business. Aggressors are able to gain access to networks and on average are not discovered for over 200 days! Most of those discoveries are in larger companies with dedicated security teams –so it is even more important for small businesses to reduce this threat as much as possible. While there are no technical controls or software that will replace good user education, we can try to reduce the number of messages that actually reach users by properly setting up your DNS records. While SMTP has been around for a while – it has needed some help. That help has come in the form of additional controls:
- Sender Policy Framework (SPF)
- Domain Key Identified Mail (DKIM)
- Domain based message authentication, reporting and conformance (DMARC)
All modern mail servers and services have the ability to read and act on these items. These are recipient based rules – meaning the recipient of your messages will need to honor your configuration. If you already have an SPF record, it is important to understand there are limitations with it. That is why DKIM and DMARC were created. You should be using all three together to get the most benefit. Once configured, the people who interact with you can be relatively confident that these messages are from you. With Exchange Online Protection, you can create mail rules that block messages from your domain but come from an external source and fail these checks. This can drastically reduce the number of phishing attempts.
Common Sense Item #2: OpenDNS (free)
OpenDNS is a DNS provider that blocks malware automatically through name resolution whitelisting. It’s free to use for basic functionality (blocking malware/phishing). Paid functionality unlocks content filtering and visibility into traffic patterns – which is still ridiculously economical considering the heightened visibility gained.
To quickly test if your network is protected by OpenDNS – or not (an indicator you are prone to ransomware redirected attacks via DNS query) – try to visit Internet Bad Guys – this is a safe phishing test to see if you are exposed.
To implement the free version of OpenDNS, simply configure DNS forwarders on domain controllers to forward to 22.214.171.124 and 126.96.36.199 (do not change the DNS settings on the domain controller NIC itself). If you need more details, read on here.
Bonus points: Configure your perimeter firewall to block outbound DNS queries to DNS servers OTHER than OpenDNS (block TCP/UDP 53 to destinations other than 188.8.131.52 and 184.108.40.206) This prevents malware from bypassing DHCP and directly querying standard or malicious DNS servers
Common Sense Item #3: Perimeter Anti-malware
This one seems to be gaining a lot of traction in the market, but not everyone is using it as widely as they could be. At eGroup, we often position theCisco Meraki MX appliances with the Advanced Security license for anti-virus, anti-phishing, and IDS functionality using the Cisco Sourcefire engine to our small to medium sized businesses, or remote offices of larger organizations.
For larger organizations, we position the Cisco ASA with FirePOWER next-generation firewall from Cisco. If you already have Cisco ASA technology, FirePOWER can be added to certain models of ASA – check with our sales engineers for details.
Common Sense Item #4: More Frequent Backups (free)
Specifically for ransomware, filesystem and directory-based storage usually get snarled. This is typically where ransomware targets its encryption attack, locking up valuable documents, spreadsheets, and other critical end-user information – holding it ransom and demanding payment.
Therefore, taking more frequent backups reduces the pain (and timeframe) of rolling back after an attack. Moving from nightly backups to more granular backups and snapshots every 4 hours or even every 1 hour can greatly help in reducing the damage landscape. Products like Rubrik,Veeam, or Avamar can be configured for as frequently as every 15 minutes (though this requires validation that your underlying storage can support frequent snapshots). And for the power users out there, products like Zerto and EMC Recoverpoint can reduce the granularity to within seconds or sub seconds.
Just as important as frequent backups is the ability to restore quickly. eGroup has seen more than one client suffer from long restoration times (12+ hours) to recover a full dataset that was only a few hours old. Auditing your restore capabilities is a must to ensure operational readiness.
Common Sense Item #5: Tighten RBAC Privileges to File Shares (free)
Typically ransomware attacks encrypt files that the specifically logged in user has write privileges to on a mapped drive. To combat this, evaluate the “minimum write permissions” a user *needs* to have, then craft an Active Directory RBAC (role-based access control) group with matching permissions, add the user to the group, and remove permissions granted explicitly to the user. Repeat this process until all explicit user permissions are removed and all permissions map to AD groups. This will reduce the write access that specific users may have to different information silos, reducing their ability to infect these areas with the creepy crawlies.
Among other publicly available free tools for assessing permissions, SolarWinds makes a free tool to help analyze permissions.
Common Sense Item #6: AD Software Restriction Policies (free)
If you run a Microsoft Active Directory environment, which 99.9% of our clients do, then the embedded Software Restriction Policies allow you to limit where executables are allowed to run from. Most ransomware to date has downloaded itself and attempted to run from the %AppData% directory. This is strongly recommended for all workstations. It is probably good for servers too, but there is a small possibility it might break some poorly written applications, so we make the customer aware of the change and craft exceptions where needed. The policy shown below will prevent any files from executing in that directory.
Common Sense Item #7: Make Information Security Everyone’s Responsibility (free)
Engage and educate your entire family, team, staff, company, and tribe on the perils of clicking on untrusted bits of information. Create a culture of “if it doesn’t look legit, it probably isn’t” and that it’s safe to always get a second opinion from the IT team – or locally accessible knowledgeable user.
Where possible, company or IT leadership should set a monthly or quarterly meeting timeframe to review the “status of the apparatus” and to ensure that proper security policy and procedure is being followed. eGroup is always happy to facilitate and moderate those discussions if desired.
We’re always here to assist new and existing clients with ensuring they have the knowledge, expertise, and street smarts to run a risk-reduced security environment! Contact us today.