#HowTo Reduce Your Ransomware Attack Surface

Written by

Over the years, ransomware has grown from a little-known occurrence to something that can take down any business, organization, or a nation’s critical infrastructure in nearly an instant. From downtime and economic devastation, to loss of life, today’s ransomware is clearly beyond the scope of just being a nuisance.

It has been already been well documented that could be life threating if the wrong organization has been compromised. So, where are organizations getting it wrong, and what changes can you make to get it right when it comes to ransomware defenses?

All security professionals will be able to tell you that there’s no silver bullet to defend against all varieties of ransomware, but there are strategic IT security practices and key technologies that can help eliminate many types of ransomware outright and dramatically reduce the overall risk of suffering a devastating attack.

So, how can your organization significantly improve its chances at surviving a potential ransomware attack outside protections focusing on phishing attacks?

Secure remote access pathways

Remote access, particularly by third-party vendors, is often the weakest link in network security. Many factors contribute to the unique difficulties of securing third-party access. Vendors authorized to access the network and applications might not adhere to the organization’s same level of security protocols. Perhaps they use weak, or worse yet, default passwords, or share a single set of credentials amongst numerous people or multiple third-party vendors.

Another risky practice is the use of virtual private networks (VPNs) to extend “secure” access to vendors. Hackers often target vulnerabilities or misconfigurations in VPN technology to compromise the supply chain and then steal sensitive company data. VPNs generally provide broad, often excessive, access to network resources. Not only does this create a potential surface for mischief, but it also gives even the legitimate third-party user access to far more than the one or two applications they might really need.

Organizations can take control of remote access by eliminating “all or nothing” remote access for vendors – this means ditching those VPNs; especially when VPN software and certificates are provided to a third party for use on their own systems. This changes the paradigm to require all connections to be brokered through a single access pathway to reduce the attack surface but not perform typical protocol tunneling or Access Control Lists (ACL) to limit network segments and implement granular, role-based access to specific resources and applications verses networks or hosts.

Vendors or internal users should only be permitted access to specific resources, for a specific allotted time, and to specific applications or workflow and ultimately nothing more. Administrators should also be able to approve or deny access requests to any resource which goes far beyond the capabilities of any VPN solution today.

Get privileged credentials under lock and key

Compromised credentials are a well-known ingredient of almost all IT security incidents and ransomware is no exception. To execute, ransomware wants privilege. It is a critical path for ransomwares persistence. That’s why it’s critical to secure privileged credentials with an enterprise privileged password management solution that will consistently discover, onboard, manage, rotate, and audit these powerful credentials.

Automated rotation of credentials and consistent enforcement of strong password policy protects your organization from password re-use attacks and other password exploits. Unfortunately, this alone is not enough. We need to remove unnecessary administrative rights and enforce least privilege.

Enforce least privilege

Removing local admin privileges and applying least privilege access across all users, applications, and systems won’t prevent every ransomware attack – but it will stop the vast majority of them. It will also mitigate the impact of those ransomware payloads that make their way into an environment by closing down lateral pathways and reducing the ability to elevate privilege.

Least privilege can even mitigate the impact of stolen credentials. If the credentials are for a user, endpoint, or application with limited or no privileges/privileged access, then the damage can also likely diminished. The credentials can essentially not be used by the malware to infect another host unless it can scrape additional credentials or exploit a vulnerability that allows privileged escalation.

Patch regularly

Of course, one of the most fundamental ways to reduce ransomware and other vulnerability-based exploits is simply staying up-to-date with patching and remediating of known, published vulnerabilities. This condenses the attack surface, reducing the potential footholds in your environment available to attackers.

To that end, very few ransomware attacks leverage zero-days vulnerabilities (MS Office Macros being the most prevalent). If you’re effective at patching, that’s good news for you. If a ransomware attack does happen to leverage a zero-day exploit, following the strategies above give you favorable odds of avoiding the worst-case scenario, if not escape the impact of a ransomware attack altogether.

What’s hot on Infosecurity Magazine?