Ransomware is just one incarnation of the threat landscape in which our businesses and public agencies operate today.
The recent outbreak illustrates some key facts and principles that assist organisations to defend against attack.
Many other guides provide advice about how to respond to attacks, prepare using strong backup strategies, and deliver a defence in depth. This is a quick guide as to how security can be improved in a practical way, which may assist IT and security operations teams in protecting and responding to similar attacks.
1). Communicate with the users
Many of the attacks which occur today are activated by user action: A likely but false message demands their action, and a piece of malware is activated.
While it may seem easy to say, constant and active education and communication with the users of a system needs to be undertaken, to ensure that people come to the IT Security operator first, either before or during a potential attack.
Creating the correct culture of communicating about threat is essential, as well as encouraging early reporting of concerns. With attacks like Ransomware, time is of the essence, so that backups may be accessed, remediation actions taken, or further communication can be made.
At times of high risk, encourage that staff communicate to the IT and Security team, and set up a mechanism to support this.
2). The value of patching
While some attacks are based on undisclosed, Zero-day attacks, many attacks are based on known vulnerabilities. In the recent case, there was a known exploit for which security patches have been released.
Patching is one of the key recommendations from the ASD top 4 mitigations for a reason https://www.asd.gov.au/publications/protect/top_4_mitigations.htm : Keeping up to date on security patches is valuable since it reduces the risk of infection, and reduces the attack surface available.
3). Visibility and control of content
Many of the recent attacks have used TLS (SSL) encryption to either deliver the initial infection or to control a device once infected.
Older firewall or proxy devices may not be inspecting this traffic for the same reason that you use encryption for Internet banking: breaking into the communications channel is very hard, unless you have a trusted device.
A. Deploy an updated SSL inspecting gateway
This requires deployment of trust between the end devices and the gateway, and significant compute resources to keep up with the encryption. For recent platforms, these capabilities can be switched on, or licensed and configured within a few days.
Identifying if the function can be configured on your firewall may not be enough for a long term solution: The most recent generations of Firewalls are capable of this, but prior generations can have a performance hit of up to 80%
B. Deploy Controls on the Endpoint
Application Whitelisting is a technology that controls the security of devices, by limiting which programmes may operate on them, preventing unauthoriSed execution of malware.
Additionally to this can be added advanced threat management solutions such as Cisco’s Advanced Malware Protection system, which identifies and sandboxes files, and assists in tracking and remediating attacks even retrospectively.
C. Fill in the gaps with a basic defence
Platforms with specific requirements, limited control from IT (e.g. outsourced, facilities management) or IoT Devices may not be able to be controlled the same way as PCs or Servers: They may not be patched the same way, or be able to incorporate certificates for TLS inspection.
These devices require a base protection based on global threat intelligence, such as the Cisco OpenDNS Umbrella platform, which can be easily deployed without reconfiguration of end-devices.
D. Controlling the porous network
Many organisations are delivering IT services flexibly, and now permit staff to operate from anywhere: A branch, café or home. With this increased productivity comes the question.
How do we effectively control security for the remote device?
Users may be able to have traffic inspected by the Next-Generation Firewall platform at the office, but may access personal e-mail while at home, which avoids inspection.
Traditional approaches tunnel traffic back to the corporate data centre for inspection and control. While these solutions are effective, they may induce delay for operations in today’s SaaS and cloud-oriented environments.
An always-on cloud-based security control such as Cisco’s Secure Internet Gateway may be more applicable.
What can I do today?
Here are our top tips for rapidly improving your security posture today
- Redirect your upstream DNS to Cisco’s OpenDNS 220.127.116.11 and 18.104.22.168, which can be done even without a subscription. This will provide the most basic defence against global threats.
- Trial OpenDNS Umbrella, which can be used to deploy another tier of security and internet threat controls easily with limited operational impact
- Get an assessment of your existing platforms, and how features may be activated. If you have a “Next- Generation Firewall” or modern web gateway, TLS inspection may be able to be deployed in the short term
- Get advice on managing patching and application whitelisting.
- Communicate to the users in your organization about security]
If you need assistance and advice about how to accomplish these steps, Contact Us – as your organisation isn’t the only one with similar challenges.
To find out how Thomas Duryea Logicalis Advisory & Consulting Services can support you with your Security strategy Click Here!
This Blog was written by Greg Daley - TDL Solutions Architect