Many companies think their data backup protects them against ransomware. The enticingly simple logic behind it: If you can restore all the data, you are not open to blackmail. By Ali Carl Gülerman, CEO and General Manager, Radar Cyber Security.
However, this is too short-sighted: Even if the system was successfully restored after an attack, sensitive information such as customer data or intellectual property could have been stolen. In addition, the risk of attack remains: Hackers can still be in the network or gain access again by installing a back door. In some cases, ransomware is used by cyber criminals as a mere diversionary maneuver, for example to smuggle spy software into the company network. Even if the data is restored with almost no downtime, the damage caused by a ransomware attack can be considerable or even existential.
The question is therefore not just which malware the attacker placed in a company, but how it infiltrated the company. If ransomware could penetrate the network, there are obviously gaps in the defense. And this has to be closed in the long term.
Comprehensive strategy against cyber attacks
Products, processes and experts
Companies that want to prevent infiltration by attackers need the right products, processes and security experts. Therefore, the following are basic best practices for taking precautionary measures:
1. Identify the most important company data and assets
Whether it's intellectual property, trade secrets, login information or customer data: this is what attackers are after. Companies therefore need to identify their most sensitive data and know exactly where it is located. After the data has been classified, it should be flagged and given access restrictions. If those responsible know exactly which of their data is particularly valuable, they can protect it against attacks in a targeted manner.
2. Train employees against social engineering
Educating and sensitizing employees is one of the most important measures for corporate security. Email phishing is still the most common way of spreading ransomware. It is therefore important that employees know how to identify phishing attempts. Companies must define simple processes with which employees can report these to the company's security officers.
3. Security Technologies
Email security filters, anti-virus software, and firewalls help block known, common malware strains. Companies should also use Endpoint Detection and Response (EDR) and Advanced Threat Protection (ATP) solutions to optimize the detection and blocking of ransomware.
4. Keep operating systems and applications up to date
Unpatched operating systems and applications are easy prey for attackers and a bridgehead for further attacks. Therefore, companies must ensure that their operating systems and software are always patched with the latest updates.
5. Disabling macros
A number of ransomware strains are sent as Microsoft Office attachments. When a user opens the attachment, they are prompted to enable macros to see the contents of the document. As soon as the user activates macros, the actual ransomware payload is downloaded and executed. Therefore, macros must be disabled by default and employees must be informed that a prompt to enable macros is a warning signal.
6. Manage access rights
Users should only have as many access rights as they need to carry out their tasks. Administrative rights should be restricted as much as possible. In addition, it should be ensured that administrative users must confirm all actions that require elevated rights.
7. Segment networks
Network segmentation ensures damage limitation in the event of a ransomware infection. This prevents the malware from spreading across the entire company network.
8. Penetration Tests
Penetration tests offer companies the opportunity to find weaknesses in the system and to fix them before they can be exploited by attackers. Penetration tests should be done at least once a year. A penetration test can also be useful if a major change is made to the company network, such as changing the operating system or adding a new server.
9. Backup as the last safety net
Regular backups that are tested for functionality are a necessary part of the security architecture. They also help to keep business processes available. The well-known 3-2-1 strategy is recommended for backup: This recommends three copies of the data to be protected on two different types of storage media. One of the copies is either offsite or offline. Backups are only the last safety net if everything else has already gone wrong, and they are by no means a satisfactory security strategy on their own.
10. Practice the emergency
Organizations should conduct a simulated ransomware incident and practice the recovery processes. Last but not least, it is a question of determining how much time the organization needs before it is fully operational again. These exercises show those responsible what to focus on in order to improve their recovery processes. Often forgotten: Preparing for an emergency also requires the development of an internal and external communication strategy. Anyone who communicates clearly in an emergency is perceived as a reliable partner and supplier.
24/7 security guards strengthen cyber resilience
Radar Cyber Security, Ali Carl Gülerman, CEO and General Manager (Image: Radar Cyber Security).
When it comes to protecting against cyberattacks, most organizations nowadays lack above all staff and expertise. For comprehensive prevention against such attacks, including ransomware, and a quick response, companies should therefore consider their own Cyber Defense Center or CDC as a Service, as this can massively strengthen their cyber resilience. Thousands of cyber threats are created every minute. Technology can filter out many of the known threats. But only a cyber defense center with 24/7 service can help companies analyze the huge number of alerts, new threats and anomalies that the technical security infrastructure identifies.
Cyber Defense Center or SOC
A Cyber Defense Center - also known as a Security Operations Center (SOC) - connects IT security experts, processes and technologies. In the CDC, trained experts examine Internet traffic, networks, desktops, servers, end devices, databases, applications and other IT systems continuously for signs of a security incident. As a company's security command center, the CDC is responsible for the continuous monitoring, analysis and optimization of the security situation in order to quickly identify attacks and initiate appropriate countermeasures in the event of a security breach.
Ransomware will remain one of the biggest security risks for businesses. One measure alone is not enough to protect yourself. But with a multi-layered approach of continuous employee training, robust processes to ensure business continuity, modern technologies and professional help from security experts, the risks and possible consequences of blackmail attacks can be significantly reduced.
More at RadarCS.com
About Radar Cyber Security
Radar Cyber Security operates one of the largest cyber defense centers in Europe in the heart of Vienna, based on its proprietary Cyber Detection Platform technology. Driven by the strong combination of human expertise and experience, coupled with the latest technological developments from ten years of research and development work, the company combines comprehensive solutions for the challenges of IT and OT security in its products RADAR Services and RADAR Solutions . The core is the best-of-breed cyber detection platform, the RADAR platform, which uses orchestration, automation and response to monitor the infrastructure of market leaders in all industries as well as in the public sector on a daily basis. A holistic approach is pursued, which covers both IT and OT landscapes of companies and authorities. This makes Radar Cyber Security a unique cyber security know-how hub in the middle of Europe.