Agencies Can Ward Off Ransomware with Simple Tactics

Ransomware attacks this year come with a new twist: Not all attackers want the money.

Instead, they’re using ransomware — malware that encrypts files and offers to decrypt, for a price — as a decoy while they launch other, potentially devastating attacks on a network.

Federal agencies have been relatively successful in preventing the traditional forms of ransomware through diligent monitoring, but a watchful eye remains a requirement. The costs of an attack — for cleanup, lost productivity, reputational damage and expensive consulting contracts to security ­companies for forensic reports — can dwarf the amount of the ransom.

Ransomware works because PCs can encrypt swaths of shared data valuable to the agency, but not all attacks end with negative results. Agencies that structure security properly can defang ransomware even if the system gets infected, no matter the motive.

Agencies Need to Educate Employees on Ransomware Risks 

Ransomware is the payload, but the attack almost always happens through social engineering: convincing someone to do something they shouldn’t, such as opening a file. One effective way to avoid ransomware is through an educated user community. No firewall or anti-malware tool will work as well as a smart user who won’t click on a ­suspicious link.

No one message will catch all users, however, and no two users learn in the same way. To get the message across, employ multiple channels. A mandatory, short online course will catch some users; a screen saver that scrolls a reminder might catch a different group. A newsletter article might be helpful, but even better is a first-person story from a top executive about his or her personal experience with malware.

No one message will catch all users, however, and no two users learn in the same way. To get the message across, employ multiple channels."

Joel Snyder  Senior Partner, Opus One

Anti-phishing tools can reveal which employees need further one-on-one training. Security logs can show who’s constantly hitting the URL filter or the anti-malware cleaner; those workers also need a personal visit from IT and some extra instruction.

Feds Constantly Protect Data and Employ Network Access Control 

Agencies looking for motivation to modernize should note: Ransomware works best against IT infrastructures designed in the 1990s that haven’t been updated.

Shared drives on Windows file servers, for example, are a huge ransomware target and one that is easy to get rid of. Shifting to a versioning file storage system — SharePoint is an obvious choice — ensures that a ransomware fix is as simple as rolling back to the last version of files untouched by the attacker. Nightly backups are a common data protection strategy, but should be replaced by continuous data protection, tightening the window for data loss from days down to hours or minutes.

Giving users the ability to write to files across workgroups is an efficient way for ransomware to affect an entire organization, and is a sign that access control is not well managed. Access controls should apply to staff at all levels — including executives — to keep them from writing to files all over the agency’s hard drives. It’s complicated, but that’s why there is a thriving marketplace for identity and access management tools.

Local drives are incredibly hard to back up and manage, which makes them a liability. Through a combination of policies, protections and processes, ensure that nothing important sits on a worker’s hard drive for more than a few hours. If necessary, wipe the working directories every night and make it clear there are no exceptions to the rule. 

Email Security Gateways Can Guard Against Ransomware 

Ransomware is usually delivered via email, either as a direct payload or one that encourages users to click on a link, so protecting incoming email is a key strategy. Agencies should revisit their email security gateways (ESGs), turn up ­protections and rethink settings, even if the ESG is part of a cloud-based service.

Many ESGs offer “URL armoring,” which replaces URLs in messages with pointers to a proxy server elsewhere, run either by the agency or by the ESG vendor. This opens a window between email delivery and the click that either allows the agency to detect the ransomware or forces the download to be scanned in the cloud, protecting computers where the anti-malware is out of date or disabled.

It’s also time to change attachment filtering strategy from a blacklist to a whitelist. Finding every way that junk can enter a network is impossible, but creating a short list of the file types that employees need for work is doable, and can be the start of a whitelist.

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.