I am amazed that, as a security consultant who has performed hundreds of security risk assessments throughout the United States, I still have several of my former customers experiencing ransomware attacks, causing extensive downtime and even financial losses. Ransomware is as prevalent today as it was a year ago, we just do not hear as much about it now because the only viral pandemic we see on the news is Covid-19. But it is causing tremendous heartache, loss of productivity and even loss of funding. This viral pandemic is continuing to plague organizations throughout the United States. In a recent survey conducted by Gartner, over one half of the company surveyed in 30 countries revealed that they have been impacted in some way by a ransomware invasion within the past year. These attacks are getting more complex in nature and are hackers more efficient at exploiting vulnerabilities in networks, servers and even storage. To date, this is left a significant financial hardship approaching an annual global average of $761,106.
With a little perseverance and firewall management, today’s next generation of firewalls are very efficient at defending ransomware attacks. Why is this not being done? Given the chance to do their job, your firewall may be your best defense against ransomware virus attacks. This blog post discusses how an attack takes place, how you as a network/systems administrator can be proactive to prevent viral attack and what are the best practices for configuring our next generation firewalls as well as networks to give you the best possible protection.
WHO ARE THE BAD GUYS TARGETING?
The hackers come from every shape, form and fashion known throughout the globe. In a recent report entitled “The State of Ransomware 2020”, 51% of all respondents to the survey indicated a significant impact by ransomware within the past year. Many of these organizations were small with less than 1000 employees. The bottom line is that all organizations are subject to a ransomware attack.
Occasionally our media will report, when you are not talking about the election or Covid-19, a significant ransomware attack that puts yours and my personal information at risk. The effects of a ransomware attack on an organization can be devastating significant financial demands, downtime and disruption, loss of reputation, loss of data and exposure of data to people who will use the data in a negative way.
HOW HACKERS ATTACK OUR NETWORKS
Most of the attacks occurring last year in this year have been directed at servers. These sophisticated attacks usually are not one off but represent the final outcome of weeks of investigation, exploitation and implementation; because of the nature of a server-based attack, these viral infections are far more deadly due to the value of the assets that are encrypted. Encryption of a server can cripple an organization by preventing access to sensitive data resulting in potential multimillion-dollar ransom demands. The following graphic illustrates the forensics of how a ransomware virus enters an organization.
By carefully observing the data provided, most ransomware infects organizations through spam or phishing attacks primarily through email. Even the best technology in the world may not be able to prevent a viral infection from ransomware through a single individual clicking on a submit button provided in a phishing email. But due diligence dictates that strong firewalls should be able to ward off most virus infestations.
HOW TO STAY PROTECTED FROM RANSOMWARE ATTACKS
Proper protection of your organization from ransomware involve three major initiatives:
- Upgrade All Security Components
The primary security components that should be addressed is your firewall and endpoint virus protection. By properly maintaining security enhancements, most ransomware attacks can be thwarted. More importantly, should a ransomware attack enter through a phishing scam, firewalls and endpoint protection can help to prevent the virus from spreading and infecting other systems. It is important for systems administrators to perform due diligence and ensuring the following components are available:
- Implement a quarantined sandbox environment to analyze infected file behavior before it spreads within your network.
- Ensure next generation firewall and endpoint protection implements the latest machine learning technology to identify zero-day variance of the viruses.
- Maintain upgrades for firewall Intrusion Protection Systems to include live signature updating to block network exploits.
- Ensure remote VPN access to enable firewall and endpoint protection management is available on demand.
- Review current endpoint protection to ensure that anti-ransomware capabilities are included.
2. Lock down all remote access and management
Network administrators shiver when requests to access internal networks originate from the outside world. External connectivity to internal networks represents a potential vulnerability waiting to be exploited by a hacker implementing a ransomware attack vector. RDP (Remote Desktop Protocol) constitutes a significant vulnerability if not properly managed. Open ports represent potential exploitable vulnerabilities and should be closed unless required to be opened, and other management protocols should be locked down to implement the least restrictive environment required to utilize the tools. One of the best ways to accomplish this is to require all access to internal networks to occur through a managed VPN (Virtual Private Network) before accessing RDP, open ports, or other management protocols. In addition, the selection of complex passwords to secure server and layer 2 & 3 products that are changed on a frequent basis will discourage ransomware attack vectors. Another excellent tool to control access is using two-factor authentication products.
3. Implement Vlan Segmenting
One of the worst networking topographies is a single flat network where all endpoints connect into a common switch fabric. This type of network enables a ransomware virus to easily move laterally within a network propagating attacks since the flat network offers no firewall protection.
Network administrators should ensure that a local area network is properly segmented into smaller subnets or zones by implementing appropriate VLAN segmentation and routing all legs of the VLAN through a firewall in order to implement virus scanning, malware scanning and intrusion protection protocols to protect individual segments. This constitutes one of the best methods for protecting a network and limiting a ransomware attack.
The decision to zone or VLAN a network really depends upon individual strategy but will offer similar protections against lateral movement of ransomware viruses VLANs are the preferred method for segmenting a network and will offer the greatest flexibility as well as scalability. The only downfall of segmenting a network via a VLAN is the management of layer 3 switching. This is not left to the faint of heart and require significant expertise in managing a network. One of the best strategies for VLAN segmentation is to ensure that less trusted legs of the network are segmented from more vulnerable parts. Segmenting a large network into smaller segments will reduce the risk of threat prevention and propagation, especially of a ransomware virus.
SUMMARY-BEST PRACTICESFOR FIREWALL AND NETWORK CONFIGURATION
- Upgrade your technology to ensure that you have the best protection. This includes a next-generation firewall complete with IPS, TLS inspection, zero-day sandboxing and machine learning ransomware protection.
- Examine RDP rules and lockdown RDP as well as similar remote desktop services within your firewall. Restrict access of RDP to users and white listed sanctioned IP addresses only.
- Review all port-forwarding rules to eliminate any non-essential open ports. Secure all open ports by implementing Intrusion Protection systems to all firewall rules governing traffic.
- Ensure support for TLS 1.3 inspection standards on all web traffic to ensure that exploitable threats are not entering your network through encrypted traffic flows.
- Segment all networks through appropriate implementation of VLANs and apply suitable IPS policies to all traffic traversing LAN segments.
- Establish clear security incident response practices to automatically quarantine and isolate any infected system.
- Require all passwords to be complex and strong.
- Implement multi-factor authentication for critical environments.
Martin Yarborough and Associates can help you secure your network through inappropriate Security Risk Assessment. We review your practices against an industry-standard framework to ensure that the appropriate practices, procedures, and policies are in place. In addition, we will perform vulnerability scans on all external or public-facing endpoints as well as critical infrastructure internal to your network. This security risk assessment offers tremendous advantages in terms of visibility into your overall network health and to assess your capability to automatically respond to significant ransomware or other security incidents.