For many companies time, money and resources are limited. Prevention can be simple and directly effective. So below are some simple prevention measures that will help.
Make a daily-back of important data.
A simple backup that works is cheap, simple and effective against many security threads. Having idiot proof backups is the most valuable weapon against ransomware.
Off-line, incorruptible, and disconnected backups – that cannot be encrypted by the malware – is a key corrective control that stops the malware from encrypting your ‘live’ data as well as the backed-up data.
Give only access on a need to know basis to information.
Access control limits the risks of exposure of information. If information is classified make sure that the list of real people whe have access is very limited. Note that information is created to be shared, not to remain secret.
If you do not understand or trust your access control system: Do not use it!
If you do not know who (real persons) have access to your classified information: Red flag!
Make sure you train people regularly on how to handle classified information.
Information that is vital for your organization should be classified using a rating that makes sense. Also do not forget to classify information like:
Configuration parameters.
Software contracts.
Backup procedures. Remove sensitive information when it is no longer needed. So keeping logs of all sorts of payment information and details of customers should be limited in time.
Eliminate complicated IT management tasks by automation.
Humans make errors. And often random errors. Software scripts used for automation do not make random errors. If an error is found in a configuration script you can fix it. The same error will never occur again.
Patch applications.
Many applications are regularly updated to address security vulnerabilities as they become apparent – quickly and regularly updating (or ‘patching’) the software will remove a key means by which cyber-security attacks are carried out.
Avoid discussion if a software update is applicable for your situation. Just update your software since features not used by you can still be used by hackers.
Since software updates can and will fail: Always make sure that you can roll back. So before applying software updates:
Validate that your data is on a safe backup.
Validate that your roll back procedure is working. It is common that good software has these features build into their update procedure.
Patch operating systems.
As with applications, security weaknesses are often discovered in operating systems. Again, quickly and regularly updating the operating system defends against most cyber-security attacks. The WannaCry attack in 2017, for example, took advantage of a vulnerability that had been patched for nearly two months.
Restrict administrative privileges.
Microsoft Windows is intended to be easy to use, and often users have free reign of the computer. However, administrator privileges should only be provided on an as-needs basis, as otherwise exploits have the ‘keys to the kingdom’ and can corrupt the computer itself.
Also on unix based systems, appliances and network devices limiting administrative privileges is a must do. Software SHOULD never have to use a high privilege account to run.
Prevent untrusted code to be run.
So use MAC (mandatory access control). Despite the many technologies like sandboxing, the most important and simple measurement is: to think! Be aware of attachments and downloads of strangers.
Application whitelisting
Windows (and Macs) are intended to be easy to use and, by default, the user can install and run almost any application. Application whitelisting allows only authorised software applications to run on your computer. No other software is allowed to run. This approach is restrictive for some power users, but most users use a small set of applications to complete their tasks. A wider selection is often simply not needed.
Use Multi-factor authentication
Although having a strong password is an assumed requirement, multi-factor authentication means that the user requires another ‘factor’ in addition to the password for their account (particularly for ‘privileged actions’ on the computer such as installing software).
Prevent untrusted code to be run
Despite the many technologies like sandboxing around, the most important and simple measurement is: think! And think again. Security by Design is thinking from different views to be better protected. Be aware of attachments and downloads of strangers.