Ransomware Best Practices

Cybersecurity Best Practices to Combat Ransomware

Most IT professionals, if you’re anything like me, worry about the possibility of a ransomware attack keeping them awake at night. Furthermore, you have a legitimate reason to be concerned because ransomware does not discriminate. Organizations in every industry, whether public or private, are at risk of becoming victims if they haven’t already been victims themselves.

In fact, according to recent Veritas Technologies research, the average organization has experienced 2.57 ransomware attacks that have resulted in significant downtime in the last 12 months, with 10% of organizations experiencing downtime that has had an impact on their business more than once.

Although ransomware has the potential to cause significant damage to your company and reputation, it is not invincible. In reality, it is only as strong as the weakest link in your organization’s chain of command. However, the good news is that your organization can take specific steps to avoid becoming a target of cybercrime and to reduce the likelihood that an attack will bring your company to its knees and cause it to go out of business.

Examine the 10 most effective best practices that you can put in place right now to protect your data and ensure business resilience.

1. Prompt Systems Upgrades and Software Updates

Attackers may be able to take advantage of unpatched security vulnerabilities if you are running out-of-date software. Make sure to patch and upgrade all infrastructure, operating systems, and software applications regularly to reduce your attack surface exposure. It’s also important to keep your backup software up to date. Don’t fight ransomware with technology that was developed years ago.

2. Implement the 3-2-1-1 Backup Rule

It is always best to back up data, system images, and configurations regularly to ensure that you have a current point from which to resume operations if ransomware strikes. Better yet, take it a step further and avoid having a single point of failure by distributing your data according to the 3-2-1 backup principle.

In practice, this entails storing three or more copies in different locations, utilizing two different storage mediums, and storing one copy offsite. This will reduce the likelihood of an attacker gaining complete access to the system. Another advantage of the 3-2-1 approach is that it ensures that a vulnerability in one of those does not compromise all of your copies, and it provides options in the event of a complete data center failure.

Many organizations are also taking it a step further and storing at least one copy on immutable (cannot be changed) and indelible (cannot be deleted) storage, as part of the 3-2-1-1 strategy.

3. Implement the Zero-Trust Model

The zero-trust model is a way of thinking that emphasizes the importance of not trusting any devices — or users — even if they are located within the corporate network.

It is preferable to use multi-factor authentication (MFA) and role-based access control (RBAC) in addition to requiring a password (yes, even if it is long and complicated), to monitor and mitigate the malicious activity, as well as to encrypt data both in-flight and at rest, which makes exfiltrated data unusable.

It is important to communicate clearly and openly that you should never use factory passwords in any situation.

Additionally, by restricting access to backups, you will prevent ransomware from using the most common entry point. For crucial and business-critical data, many organizations are adopting a just-in-time (JIT) security practice, in which access is granted on an as-needed basis or for a predetermined period. This is something to consider when implementing security practices.

4. Network Segmentation

Attackers adore a single continuous, flat network with no gaps in it. As a result, they can spread throughout your entire infrastructure with relative ease.

Network segmentation and micro-segmentation are two effective methods of preventing attackers from gaining access to your network and significantly reducing their attack surface. The network is partitioned into multiple zones of smaller networks, and access is managed and limited, especially to your most sensitive data, according to this model.

It’s also considered best practice to keep the most critical infrastructure functions off the internet whenever possible. Consider segmenting third-party vendors as part of your company’s zero-trust model as well, as there have been numerous notable supply chain attacks as a result of vendor mismanagement in the past. The Sunburst hack and the Colonial Pipeline attack are two excellent examples of what can be done.

5. Endpoint Visibility

The majority of businesses suffer from a severe lack of visibility into remote endpoints. It has now become standard practice for bad actors to get past front-line security and hang out, allowing them to identify weaknesses and wait for an opportune moment to launch an attack. The implementation of tools that provide complete visibility across your entire environment, detect anomalies, hunt for, and alert you to malicious activity on your network is critical in ensuring that ransomware has nowhere to hide. Taking this step will assist you in mitigating both threats and vulnerabilities before bad actors have the opportunity to take action.

6. Immutable and Indelible Storage

As previously stated, one of the most effective ways to protect your data from ransomware is to use immutable and indelible storage, which ensures that data cannot be changed, encrypted, or deleted for a predetermined period after it has been created. Although the term “immutable storage” has become somewhat of a buzzword among backup vendors in recent years, it is not without merit. Look for immutability that is not only logical but also includes physical immutability, and the system must have built-in security layers to protect users.

The industry is moving toward two types of immutability: deterministic and nondeterministic. At Veritas, we refer to these as Enterprise Mode and Compliance Mode, respectively. Enterprise Mode is referred to as a “four-eyes” approach, which means that any change requires the approval of two sets of eyes. For example, the backup administrator’s eyes are the first pair of eyes, and the security administrator’s eyes are the second pair of eyes. It is not possible to make any changes unless both parties agree to them. Compliance Mode refers to data that is unalterable and immutable under any circumstances, which is data that cannot be changed under any circumstances. Both modes include a Compliance Clock that is completely independent of the operating system, ensuring that even if the operating system clock is spoofed, the data release will not be affected.

7. Rapid Recovery

The majority of ransomware attackers wish for two things: time for the attack to spread and money (from you) to put an end to the attack. It was once common for recovery to take weeks or even months when it was a highly manual and labor-intensive process that involved many different stakeholders throughout an organization. As a result, recovery can be orchestrated and automated, while also providing flexible and alternative options (such as quickly setting up an on-demand data center on a public cloud provider), which can reduce downtime and provide alternatives to paying a ransom. Recovery times can be reduced to a matter of seconds if the proper systems are in place, if necessary.

8. Regular Testing and Validation

The completion of a comprehensive data-protection plan does not imply that your work is complete. Testing ensures that your plan will function properly when you require it. Furthermore, although initial testing can confirm that all aspects of the plan are operational, it is critical to test regularly because information technology environments are constantly changing.

Remember that any plan is only as good as the last time it was put to the test, and if you don’t put it to the test, there is no guarantee that you will be able to recover quickly! Implementing solutions that test in a non-disruptive, isolated recovery, or sandbox environment is also critical to the success of the test.

9. Educated Employees

It is well known that employees are frequently used as entry points for cyberattacks. Don’t point the finger at your employees; mistakes happen. Modern phishing attacks and social engineering are now so sophisticated that they frequently fool security professionals into believing they are legitimate.

Instead, concentrate on educating employees on how to recognize phishing and social engineering tactics, create strong passwords, browse safely, employ multi-factor authentication, and always use secure VPNs rather than public Wi-Fi. Additionally, ensure that employees are aware of what to do and who to contact if they become a victim.

10. Cyberattack Playbooks

Consider what would happen if everyone in your organization knew exactly what to do and when to do it in the event of a ransomware infection. The creation of a standard cyberattack playbook that clarifies roles, aligns and empowers cross-functional teams, and establishes clear communication paths and response protocols in the event of an emergency is not insurmountable.

Setting up an emergency communication channel on a secure texting app for senior leadership of your organization to communicate in the event of a cyberattack is a great piece of advice, as company email or chat systems may also be down as a result of the attack. As a bonus, hiring an outside agency to audit your team’s strategy and double-check your work is a fantastic idea.

You can take significant steps in the fight against ransomware and turn the tables on cybercriminals. The implementation of a multi-layered ransomware resilience strategy that incorporates the best practices listed above as well as impeccable cybersecurity hygiene will allow you to stop attackers before they gain an advantage.