five ways to protect your networks from a cryptovirus
TRANSCRIPT
FIVE WAYS TO PROTECT YOUR NETWORKS FROM A CRYPTOVIRUS
www.focustsi.com 1
FIVE WAYS TO PROTECT YOUR NETWORKS FROM A CRYPTOVIRUS
FIVE WAYS TO PROTECT YOUR NETWORKS FROM A CRYPTOVIRUS
www.focustsi.com 1
WHAT IS A CRYPTOVIRUS AND HOW BIG IS THE THREAT?Cryptoviruses belong to a group of malware know as ransomware. Once opened, these viruses begin encrypting every accessible file in your network, and usually complete the task in under three minutes. Once your files are locked, you usually receive a ransom message letting you know that unless you pay the hacker, your data will remain encrypted or be destroyed. Unfortunately, these insidious attacks are on the rise. Hollywood Presbyterian Medical Center was attacked in February 2016 with ransomware; they had to keep handwritten records on paper for 10 days before they paid the $17,000 ransom.i Many organizations that are hit with a cryptovirus can be crippled by the loss of data and downtime, as well as expensive ransom payments. Here are some startling facts:
Kaspersky Labs detected 2,900 NEW malware modifications in Q1 2016, a 14% increase over Q4 2015.ii
The number of users that experienced ransomware attacks in Q1 2016 increased by 30% from the previous quarter.iii
Kaspersky now has 15,000 ransomware modifications in their database, and the number is expected to keep growing rapidly.iv
15K
FIVE WAYS TO PROTECT YOUR NETWORKS FROM A CRYPTOVIRUS
www.focustsi.com 2
WHY DOESN’T ANTIVIRUS SOFTWARE STOP A CRYPTOVIRUS? Many companies believe that a good antivirus (AV) program will protect them from a cryptovirus. While a good AV program definitely helps, it doesn’t always prevent a cryptovirus. Even if you update your AV definitions daily, you are still vulnerable to what is called, “zero-day attacks.” Once a cryptovirus is created, attackers continue to modify the code so they can bypass your network AV which only looks at the virus signatures. The reality is, that with the alarming rise in ransomware attacks, it is likely most companies will be infected at some point, so it is critical to take as many precautions as possible.
FIVE WAYS TO PROTECT YOUR NETWORK FROM A CRYPTOVIRUS ATTACK
Limit network sharing privilegesThis is the most important action you can take to prevent the spread of a cryptovirus. When a computer on your network is infected, the cryptovirus will encrypt every file it can access. You can limit the damage by providing each user account with the least amount of network privileges possible, without inhibiting productivity. You should also ensure that all network backups are only accessible by network administrators or your back-up company, if applicable. When you need to access a drive to restore data, make sure permissions are set to read only, in case there is an undetected cryptovirus that is dormant in your network. In addition, we recommend that only one or two people have domain admin permissions, and that you sandbox any elevated permissions for your IT staff. Anyone with domain admin permission should have two accounts, one for everyday use and then a sandbox account with elevated permissions that is only used when working on specific tasks. This way, if your network is infected, the damage to your networks and back-ups is as contained as possible.
1.
FIVE WAYS TO PROTECT YOUR NETWORKS FROM A CRYPTOVIRUS
www.focustsi.com 3
Utilize industry-leading antivirus programs Educate your users on malware and constantly update all of your software with the latest patches. Use a good antivirus product and automatically check for new virus definitions every day. Check all other applications daily, or weekly, for security updates and patches to close any new security vulnerabilities. Next, educate your users on why they should not bypass security warnings or settings, and train them on what to do if they are infected. Each of your users should know not to click on strange links, download any foreign .zip files, or bypass a site security message. Regularly remind your users of these best practices and send periodic updates on the latest malware tactics, as well as directions on what they should do in the event of an attack.
Consider a next-gen firewall with Intrusion Prevention Services (IPS) There are a few new options in next-gen firewalls, such as Cisco FirePOWER, that provide you with IPS and a contextual view of your network. This enables you to block not only known malware sources and spam centers, but you can also see what each application and user is doing, as well as watch traffic patterns and behaviors for suspicious activity. This is especially important since many viruses are now bypassing the firewall and infecting networks in an east-west movement, rather than directly from the internet. When employees are away from the network and connect to the internet from a hotel, airport or other public network, they may accidentally download a virus. Once they return to the network, that virus can bypass your firewall by going from the computer over the LAN and infecting your network. Many next-gen firewalls have IPS sensors that are dedicated to monitoring LAN traffic and identifying these viruses by tracking anomalous behavior.
2.
3.
FIVE WAYS TO PROTECT YOUR NETWORKS FROM A CRYPTOVIRUS
www.focustsi.com 4
Use several different methods of filtering information a. Use DNS inspection as a security tool. Open DNS Security products,
now a part of Cisco, handles billions of domain requests per day and runs the data through algorithms that locate malicious infrastructures. The software sits between your network and the root DNS servers. Once it detects a suspicious site, it will block user access so the malicious site cannot download the virus.
b. Use group policies for Windows. By setting up group policies for Windows, you can prevent cryptoviruses from launching themselves from their most common spots. Cryptoviruses frequently launch themselves from specific folders in the user profile, which is an uncommon launch point for legitimate programs. By preventing executable files from launching from these locations, you can block a number of cryptovirus infections.
Have a reliable back-up solution with routine restores Regular back-ups are the best way to protect your business from ransomware. Unfortunately, in a recent study, 36% of businesses did not back-up their data at all, and among those that do, 42% said they back-up “from time to time.”v We recommend having at least two back-ups, stored in two different locations, one of which should be off-site. In addition, many new ransomware viruses are hiding in your system in order to infiltrate your backups. Many viruses go unnoticed in the network for an average of 220 days,vi so ensure that you keep a one-year history of at least weekly back-ups with multiple restore point options. This way, if your network is infected with ransomware, or one of your back-ups is corrupted, you can salvage your data and productivity quickly.
5.
4.
MANY VIRUSES GO UNNOTICED IN THE NETWORK FOR
AN AVERAGE OF
220 DAYSvi
FIVE WAYS TO PROTECT YOUR NETWORKS FROM A CRYPTOVIRUS
www.focustsi.com 5
WHAT SHOULD YOU DO IF YOUR NETWORK IS INFECTED WITH A CRYPTOVIRUS? IT professionals know that the first thing to do if you suspect a cryptovirus infection is to disconnect the network cord, or shut down your computer. We recommend that you train each user that connects to your network to shut down their computer or disconnect from the network at the first sign of trouble, and to contact your IT group for support. Educating your users and training them how to respond to a potential infection can significantly decrease the scope and damage of a ransomware attack.
THE BOTTOM LINEIf you implement the strategies above, you can significantly decrease the likelihood of a cryptovirus infection on your network. With proper back-ups you can also ensure that if you are infected you will be able to restore all, or most, of your organization’s data. With the growth of cryptoviruses, we know many organizations need help optimizing their network defenses. We are currently offering a complimentary security assessment https://www.focustsi.com/lp/free-security-assessment/ to review your:
y Firewall technology
y Security programs and policies
y Back-up and recovery plan
One of our security consultants will review your IT environment, give you an honest assessment of your risk, and offer strategies to improve your security. Visit https://www.focustsi.com/lp/free-security-assessment/ or call us at 617-938-6200 to arrange a free security assessment.
Focus Technology Locations1 Van de Graaff Drive, Suite 101, Burlington, MA 0180393 ledge Road, Seabrook, NH 03874
i http://www.latimes.com/business/hiltzik/la-fi-mh-2016-is-the-year-of-ransomware-20160308-column.htmlii http://www.kaspersky.com/about/news/virus/2016/Ransom-Awareiii http://www.kaspersky.com/about/news/virus/2016/Ransom-Awareiv http://www.kaspersky.com/about/news/virus/2016/Ransom-Awarev http://www.itproportal.com/2016/04/22/a-third-of-businesses-dont-backup-crucial-data/vi https://www.telekom.com/media/company/293678
ABOUT FOCUS Focus Technology has been a leading provider of strategic IT consulting, technology sales, and managed services in New England since 1998. Our award-winning team designs solutions that help you meet your business goals by utilizing the latest technology to improve efficiency, enhance connectivity, and tighten security. Whether you are a small business looking to completely outsource your IT management, or you are an enterprise organization that needs to cost-effectively augment your staff with additional subject-matter experts, we can create a solution that fits your exact requirements.