With so much ransomeware in the news I have often wondered if the companies that get hit and simply not following best practices or if there is something I am not aware of.
If you are doing your updates, have antivirus and malware which are geared towards ransomware, and have proper backups shouldn't that cover most of this stuff?
Granted there is always the new stuff that slips by but at the rates of occurrence this doesn't seem to be the case.
I guess to me I felt like I must have been missing something for these things to be so basic but yet for so many places to be getting hit with ransomware. There are a lot of things that seem so simple to me that it leads me again to think I must be wrong, and hence has lead me to a touch of imposter syndrome at times.
This has been eye opening, thank you.
I think you got the basics down as all those thing SHOULD protect you. The operative word here is SHOULD but one must remember it only takes one machine to not be patched or the AV not be working (yup this happens) for Ransomware or any other virus/malware to take hold of your environment.
Patching can sometimes be difficult and even when one thinks they are 100%, someone pulls out a computer from under a desk that hasn't been patched in months or allows an unprotected device to attach to the network (they just want to take that spreadsheet home to work on, etc......). The problem is typically the human factor.
Along with the three you mention, I would add a strong dose of Security Awareness training especially on what is allowed and not allowed on your network, what patching means and why it is done.
The prevailing assumption in this thread is that organizations and many local government IT shops are doing the right thing (i.e., the "basics"). Well news flash they are not. They don't control user authentication and authorization with the basic philosophy of least privilege. There are lots of organizations that give there users "admin" on their local machines and over provision roles on databases. Can you say lateral movement? I new you could.
It's often patch delay time being exploited. Whilst you know there's a patch and it's in testing, you haven't fully deployed it yet. So if you're patching monthly, you need to consider moving to weekly or even daily! You need to consider what happens if you have a major incident that diverts resource, cover over holidays and what to do if staff are away ill. You need to consider how you can get remote machines patched and you need to posture check them when they come back into the office. Whilst companies are often trying to do the right thing, it's only by completing the work that malware is kept at bay.
On patching and updating, I have been wondering if it is possible to get disclosure from vendors about what libraries and sub systems and in their products. If I see there has been a vulnerability or bug found in one of these I don't always know if I am affected due to this lack of disclosure. Even if there is no patch available I would still be able to mitigate the risk in different ways, if I know I am at risk.
So am I missing anything on getting this disclosure?
Whilst I agree that you need to follow the basics of protection and have good detection, and good incident response (some way to restore from backup that works and is operational etc.), there are two things to consider:
- some networks are massive and sprawling, and included mergers and suppliers and all sorts of third parties, going through a state of transition. So, it isn't that simple to know if it is all in a good state. I am not making excuses for people, but not all networks are equal
- in some ransomware attacks the attackers have come in quietly, monitored the infrastructure, and even replaced the software update management mechanisms, the ransomware part being the last visible step.
I think the most important thing is to have good fine grained configuration. You can have all the patching and malware protection, and backups, but if the configuration is weak then protections can be bypassed, restores can fail, businesses can be unprepared to communicate in an incident.
> dcontesti (Community Champion) posted a new reply in Tech Talk on 01-04-2020
> I think you got the basics down as all those thing SHOULD protect you. The
> operative word here is SHOULD but one must remember it only takes one machine to
> not be patched or the AV not be working (yup this happens) for Ransomware or any
> other virus/malware to take hold of your environment.
And if you've got a backup, as backup to the other countermeasures, then you SHOULD be OK ...