Hardening the Frontlines of Ransomware Defenses
It’s possible to spot intruders and eject them from the premises, but it’s faster, safer and less expensive to stop them at the front gate.
The same can be true in the virtual world. With robust internal controls, organizations can identify breaches more quickly and prevent malicious actors from breaking in, moving around and accessing data in any systems they manage to penetrate.
Top three infection points
- Vulnerabilities in common network services and internal systems
- Human beings are almost always the weakest link in an IT security system
- Phishing, one person takes the bait and systems are compromised
*Incidents reported to Beazley
Three areas for organizations to take action to defend against ransomware
Lodestone, leader in comprehensive cyber defense, recommends a combination of technical improvements and changes in users’ behavior to beef up barriers to intruders. Hardening the external attack surface is relatively straightforward. New tools and best practices can help make remote access more secure, and awareness training can help users recognize risks and prevent breaches.
- Hardening the external attack surface
In addition to patch management and other routine maintenance, organizations can use hardening mechanisms to mitigate specific attack vectors, protect especially vulnerable parts of the surface and reduce overall risk.
Many companies isolate systems that need external access from more valuable internal systems and data through the use of a “demilitarized zone” or DMZ, and layers of firewalls. Systems like web servers that need to be accessed by users externally can be placed in a DMZ and heavily restricted and monitored while still being connected to the greater organization for easier management.
Organizations should regularly scan externally facing infrastructure for potential vulnerabilities. Penetration tests, for example, are “mile wide, inch deep” looks at networks. These tests can be mostly automated and relatively inexpensive. Experienced analysts can mount deeper, more tailored and hands-on tests to find vulnerabilities in specific portions of a network.
- Securing remote access
Organizations of all kinds are now relying more on secure remote solutions, such as multi-factor authentication (MFA), which add layers of authentication mechanisms to prevent stolen credentials from leading to a successful system compromise. Each approach has strengths and weaknesses—usually trade-offs among security, usability, administration overhead and financial cost.
For most organizations today, best practices include using MFA in combination with a virtual private network (VPN) solution to provide secure, encrypted access to internal systems from remote external locations. Navigating this world can be complex, however. Microsoft’s Remote Desktop Gateway (RDG) is not a VPN but it does funnel remote desktop protocol (RDP) over secure channels and supports MFA. RDG can reduce the potential attack surface by providing a single point of secure external connection. Due to the complexity of proper, secure RDG configuration and the frequency of vulnerabilities identified with the RDP protocol, RDGs should be implemented behind VPNs, both with MFA enabled.
- Raising security awareness
As threats evolve, employees and other systems users need consistent training—an annual phishing test will accomplish very little and only highlight the risks that can be posed by a single careless or distracted employee.
Constant testing and mandatory refresher training is necessary. Begin with training users how to look for clues—systems administrators can even identify themselves in the first mock phishing emails or messaging. As training progresses, administrators can send increasingly sophisticated and realistic phishing simulations. Many vendors and consulting firms can provide this kind of training and testing; organizations should choose the approaches best suited to their needs including price, platform, content and results.
Senior leaders also need to help employees understand and practice good overall operational security. Phishing is not the only form of social engineering. Other common risks include:
- Vishing or voice phishing
- Wire transfer fraud
- Physical risks, such as “tailgating” or “shoulder surfing
- Weak and reused passwords
While IT expertise is as critical as ever, it’s not alone the job of the IT team to protect against malicious attacks. Each employee plays a vital role on the cybersecurity team. Everyone needs to understand their responsibilities clearly and help defend the organization and themselves from internet-facing vulnerabilities, credential theft and social engineering. Cultural and behavioral changes are as important as technical advances.
Unfortunately, the attackers will keep coming. All areas of the organization need to work together to recognize and manage evolving risks, close gaps and respond quickly and decisively when breaches do occur.
For additional info on hardening the frontlines, read this article from Lodestone
Network vulnerability claims examples
Early one morning, the endpoint monitoring system of a hospitality company that owns, leases, and operates luxury hotels and restaurants across the US, alerted them of suspicious activity in their hotel servers. The hospitality company was able to identify that malware had moved laterally to two servers. The hospitality company immediately notified Beazley and by 10am ET, BBR Services had arranged a scoping call with breach response counsel and forensics. The hospitality company was able to engage their services right away, and the investigation kicked off. Since the matter was caught during the initial system compromise, the ransomware was never deployed and the situation was contained. However, the lateral movement to the property management system server raised concerns about possible exposure of personally identifiable information. Forensics was able to determine that there was no evidence of staging for data exfiltration and confirmed that the malicious software tools found did not have the capability to exfiltrate data. Notification was not required since the system infiltration event was contained.
The descriptions contained in this broker communication are for preliminary informational purposes only. The product is available on an admitted basis in some but not all US jurisdictions through Beazley Insurance Company, Inc., and is available on a surplus lines basis through licensed surplus lines brokers underwritten by Beazley syndicates at Lloyd’s. The exact coverage afforded by the product described herein is subject to and governed by the terms and conditions of each policy issued. The publication and delivery of the information contained herein is not intended as a solicitation for the purchase of insurance on any US risk. Beazley USA Services, Inc. is licensed and regulated by insurance regulatory authorities in the respective states of the US and transacts business in the State of California as Beazley Insurance Services (License#: 0G55497). Lodestone is a wholly owned subsidiary of Beazley plc. and does not provide insurance services. Beazley does not share insured-specific information with Lodestone. Information you provide to Lodestone and any engagement findings are shared only between your organization and Lodestone.