- How/why did this happen?
- How can we make sure this never happens again?
- Drop Administrator Rights
To be clear, this step alone does not protect you from ransomware, which can affect admin and non-admin users alike. However, it can help to contain an outbreak and confine it, resulting in a relatively smaller incident. I’ve lost count of the number of times I’ve written about how running with full administrative rights over your own PC is a bad idea. The more power your have, the more power you have to do damage. There’s no need to perform everyday tasks – like reading email or surfing the web – as an administrator. You or your IT staff can do this for you on most desktop systems with very little effort, and reap a very big reward as a result.
- Patch, Patch, Patch
Make sure you have a regular, diligent schedule for applying patches, both to your operating system (Windows, Mac, Linux, iOS, Chrome, or Android) and third-party applications and add-ons (from Microsoft, Adobe, Oracle, Google, Mozilla, Apple, etc.) have the latest security updates. Malware almost always exploits security flaws in programs, and these flaws are “patched” in software updates from the publisher. Make sure these are applied promptly.
- Use a Web Content Filter to Limit Internet Access
If you and your staff don’t need it to do your job, don’t allow it. Period. Most of your employees do not need access to Facebook, Amazon, CNN, YouTube, and a majority of the websites they’re accessing every day. Every time you go online and access a website – any website – you are increasing your exposure to bad things, even if you think the site you’re visiting is perfectly innocent. We’ve seen numerous examples in the last few weeks alone of popular websites that were compromised and used as malware attack platforms.
If you read this and said “Oh, but we do use YouTube!” Fine! Allow YouTube, but block everything else that isn’t needed (like Facebook, Amazon, CNN, etc.)
- Configure Your Firewall to Filter OUTbound Traffic
Along with #3, work with your IT staff to ensure that your firewall allows only legitimate traffic both in AND out. A lot of the problems stem from compromised systems inside your network which are allowed to send traffic out to the bad guys. If this communication is blocked, you have a better chance of recovering your system before it’s too late. You have to work with a competent firewall technician to make sure this is done properly.
- Restrict Attachments
First off, if you did not request it, don’t open it, even if the attachment seems to be from someone you know. Consider having your IT staff filter out email attachments; if a job doesn’t require receipt of email attachments, don’t allow them! If you are required to receive attachments to do your job, such as the case for HR professionals, make sure that your default application for handling them is a lesser-functioning viewer, such as the Microsoft Word Viewer. This is a greatly stripped-down program that lacks the features that viruses use to take over your system.
- Restrict Access to File Shares (aka “Silo Your Data”)
Most small firms we work with have a single file repository on their network, and every staff member has full access to it, and all of its contents. This means that anyone, from the CEO all the way down to an intern, has the ability to inadvertently encrypt every document on the server. Compartmentalizing data into silos where people have the least privileges required to do their job is the key to keeping a virus outbreak from running rampant through the entire organization.
Note: this expands upon step 1 by further restricting your own ability to accidentally cause damage to other systems you have access to.
- Have Rock Solid Backups
Get a solid, robust backup solution that backs up everything on your system – not just a few files and folders – several times per day (not just overnight), and keeps multiple versions that go back several months, allowing you to go back to prior to the infection.Key step that is too often overlooked: test your backups. Do NOT assume that everything is working fine – test your backups, or have your IT staff test them for you, and give a full report on the restore process. Do a full restore to make sure you could get everything back if the server literally blew up in a ball of flames.
- Train Your Users
By this, I don’t mean “last year we went through a checklist to make sure our users knew what not to do if they get a phishing email.” Seriously – when was the last time you did something only one time, a year ago, and you remember what it was and how to do it? It just doesn’t work like that! You and your staff need constant education, reminders, and updated information. For starters, make sure your staff know that there are numerous other businesses that are falling victim to ransomware which are delivered as email attachments and through infected websites. Then, work with a competent security professional to educate yourself and your staff in the latest threats so you know what to be on the lookout for.
- Allow Only Whitelisted Applications
This one takes some effort, but the idea is simple: configure your computers to only run authorized applications. That means if you only need to run Word, Excel, and Outlook to do your job, your computer will only run Word, Excel, and Outlook. This does take some work and fine-tuning to get it right, and you need to work closely with your IT provider to make sure that nothing is overlooked, but once you’ve taken these steps, your computer is dramatically more secure because its exposure to harmful programs is significantly reduced.
- Prepare for the Worst
Should all of the above steps fail, which can happen, be prepared to shut down for a while. Speak with an insurance agent who specializes in cyber liability insurance and make sure you are covered against outages and extortion. Most likely, your policies will pay you nothing in such an event. Also, be prepared to pay a ransom, in Bitcoin – an online currency that is completely untraceable (which is why criminals favor it over things like credit cards, gift cards, etc.). Set up an account with a reputable Bitcoin exchange today so that your entire business won’t be stuck for a week twiddling its collective thumbs while you set up accounts that enable payment.
Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.