Pub. 5 2016 Issue 5

l e a d i n g a d v o c a t e f o r t h e b a n k i n g i n d u s t r y i n k a n s a s 30 M ALWARE IS A CONSTANT threat to networks. While primarily affecting Windows systems in the past, newer versions of malware can wreak havoc on Linux and OSX systems as well. The malware variant that is becoming increasingly more popular and devastating is ransomware. Ransomware results in the encryption of local and network-mapped files followed by a ransom request to the user. Ransomware affects home users, police departments, banks, and even hospitals, with no sign of slowing down due to the level of anonymity associated with bitcoin, the ease of spreading the software, and the likelihood of payout by infected users. Ransomware can be dealt with in a couple ways: either through mitigating controls to lower both the risk of infection and the damage caused, or by recovering data from backups after encryption has occurred. The best option, of course, is preventing infection in the first place, and the controls below can help prevent ransomware from threatening files and ruining your day. 1. User Training — As users will always be the weakest link, there can never be enough user training. While there have been some instances of legitimate websites delivering ransomware, these are rare; the typical delivery vehicles of ransomware are phishing emails and insecure websites. Technical controls such as Internet content filtering and email sorting can aid to an extent, but teaching users to be wary of phishing emails and unknown websites should be standard practice. 2. Antivirus or ransomware prevention tool — Antivirus detection methods are not as effective as they once were, but up-to-date virus definitions can still be beneficial in preventing ransomware from executing. In addition, companies such as Malwarebytes 1 are working on anti-ransomware tools that add an extra layer of security. 3. Least privilege — The idea of least privilege is to prevent access to information a user has no business need to access. In this instance, restricting or removing file access controls, so users only have access to the information they need, could prevent encryption of sensitive data. If the user does not have access or only has read-only access, then the files in the folder are protected from ransomware as well. 4. Air gapped backups — As mentioned above, network- mapped files are just as susceptible to encryption by ransomware as local files. This includes cloud storage drives such as Dropbox and OneDrive and internal network drives the user has access to. Although tape backups, by nature, create an air gap for the backup data, the trend of having instant network backups for disaster recovery has led to a decrease in tape usage and an increase in disk drives that can be easily accessed and replicated. As a result, it is extremely important to either keep backup drives from being mapped on the network or to reinstate the tape backup process for secondary backup purposes. If tape backups are too expensive or time consuming, then a dedicated backup through a trusted cloud provider would also be an effective option. FOUR ACTIONS TO PREVENT RANSOMWARE By Daniel Lindley, Network+, CISA