cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JKWiniger
Community Champion

Ransomeware - questions

With so much ransomeware in the news I have often wondered if the companies that get hit and simply not following best practices or if there is something I am not aware of.

 

If you are doing your updates, have antivirus and malware which are geared towards ransomware, and have proper backups shouldn't that cover most of this stuff?

 

Granted there is always the new stuff that slips by but at the rates of occurrence this doesn't seem to be the case.

 

Thoughts?

 

John-

13 Replies
rslade
Influencer II

> JKWiniger (Newcomer II) posted a new topic in Tech Talk on 01-04-2020 10:42 AM

> With so much ransomeware in the news I have often wondered if the companies that
> get hit and simply not following best practices or if there is something I am
> not aware of.   If you are doing your updates, have antivirus and malware which
> are geared towards ransomware, and have proper backups shouldn't that cover most
> of this stuff?

No, I don't think there is anything you are missing. Yes, those countermeasures
should keep most people safe most of the time. (Particularly the backups. And
proper, multi-layered backups, most of them offline.)

>   Granted there is always the new stuff that slips by but at the
> rates of occurrence this doesn't seem to be the case.

I'd agree. The extremely high rates of ransomware "hits" seem to me to indicate
two things: 1) most security plans are abysmal, and, given #1, 2) the blackhats
realize that the easiest way to make money these days is to produce and seed out
as much ransomware as possible.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The Tao of network protocols:
If all you see is IP, you see nothing. - Greg Minshall
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
JKWiniger
Community Champion

I guess to me I felt like I must have been missing something for these things to be so basic but yet for so many places to be getting hit with ransomware. There are a lot of things that seem so simple to me that it leads me again to think I must be wrong, and hence has lead me to a touch of imposter syndrome at times.

 

This has been eye opening, thank you.

 

John-

dcontesti
Community Champion

I think you got the basics down as all those thing SHOULD protect you.  The operative word here is SHOULD but one must remember it only takes one machine to not be patched or the AV not be working (yup this happens) for Ransomware or any other virus/malware to take hold of your environment.

 

Patching can sometimes be difficult and even when one thinks they are 100%, someone pulls out a computer from under a desk that hasn't been patched in months or allows an unprotected device to attach to the network (they just want to take that spreadsheet home to work on, etc......).  The problem is typically the human factor.

 

Along with the three you mention, I would add a strong dose of Security Awareness training especially on what is allowed and not allowed on your network, what patching means and why it is done.

 

my nickel

 

d

 

AppDefects
Community Champion

The prevailing assumption in this thread is that organizations and many local government IT shops are doing the right thing (i.e., the "basics"). Well news flash they are not. They don't control user authentication and authorization with the basic philosophy of least privilege. There are lots of organizations that give there users "admin" on their local machines and over provision roles on databases. Can you say lateral movement? I new you could. 

Steve-Wilme
Advocate II

It's often patch delay time being exploited.  Whilst you know there's a patch and it's in testing, you haven't fully deployed it yet.  So if you're patching monthly, you need to consider moving to weekly or even daily!  You need to consider what happens if you have a major incident that diverts resource, cover over holidays and what to do if staff are away ill.   You need to consider how you can get remote machines patched and you need to posture check them when they come back into the office.  Whilst companies are often trying to do the right thing, it's only by completing the work that malware is kept at bay.  

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
JKWiniger
Community Champion

On patching and updating, I have been wondering if it is possible to get disclosure from vendors about what libraries and sub systems and in their products. If I see there has been a vulnerability or bug found in one of these I don't always know if I am affected due to this lack of disclosure. Even if there is no patch available I would still be able to mitigate the risk in different ways, if I know I am at risk.

 

So am I missing anything on getting this disclosure?

 

John-

4d4m
Newcomer III

Whilst I agree that you need to follow the basics of protection and have good detection, and good incident response (some way to restore from backup that works and is operational etc.), there are two things to consider:

 

- some networks are massive and sprawling, and included mergers and suppliers and all sorts of third parties, going through a state of transition. So, it isn't that simple to know if it is all in a good state. I am not making excuses for people, but not all networks are equal

 

- in some ransomware attacks the attackers have come in quietly, monitored the infrastructure, and even replaced the software update management mechanisms, the ransomware part being the last visible step.

 

I think the most important thing is to have good fine grained configuration. You can have all the patching and malware protection, and backups, but if the configuration is weak then protections can be bypassed, restores can fail, businesses can be unprepared to communicate in an incident.

 

Best

Adam

 

JKWiniger
Community Champion

That LEAST PRIVILEGE has stuck in my head and I just have to say that it is crazy how many times I have had vendors not specify the exact privileges needed on a service required for their product!
rslade
Influencer II

> dcontesti (Community Champion) posted a new reply in Tech Talk on 01-04-2020


> I think you got the basics down as all those thing SHOULD protect you.  The
> operative word here is SHOULD but one must remember it only takes one machine to
> not be patched or the AV not be working (yup this happens) for Ransomware or any
> other virus/malware to take hold of your environment.

 

And if you've got a backup, as backup to the other countermeasures, then you SHOULD be OK ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468