Recent ransomware attacks like Wanna and Petya have spread largely unchecked through corporate networks in recent months, extorting money to restore your data and regain control of your computers. CCSI has informed our customers in the past and some have experienced the pain of Ransomware. These attacks have not stopped and the measures CCSI has taken to detect and stop these types of attacks have been successful in reducing the consequences when such an attack occurs. For a better understanding of what it is your up against, let’s break down how the hackers are infiltrating your systems, to begin with, and some recommendations to beef up the security by utilizing technologies you already have or steering you in the right direction of what to get.
HOW HACKERS PIN-POINT AND LAUNCH RANSOMWARE
Finding and exploiting a business is not determined by the size or success of a business, hackers don’t use their crazy good tech skills to research businesses annual revenue as a measure to determine that your business will be a good one to hack because it makes lots of money. Although, very successful fortune 500 companies have fallen victim to ransomware attacks it was not because of their success no, no. Hole in the wall pizzeria’s, mom and pop trophy shops, start up’s, all the way to government agencies, multi-national corporations and county hospitals have all been targeted not because of their net worth but because of weak points in your network’s security/firewall are what these guys look for but simply because they could “walk” right in.
So, how do they find these weak points? Although there’s a myriad of ways hackers make their way into and infect a network the most common are:
Remote Access to Servers and Workstations:
Even though remote access to your servers and workstations, to work from home or elsewhere, is a must, we highly recommend closing remote desktop access directly from the internet. As hackers have been able to crack passwords and log into networks, they then manually run the ransomware executables directly on servers and in some cases workstations CCSI is recommending that anyone who needs remote access to servers or desktops be required to use a VPN client to connect to their office network, then they can establish a remote desktop connection to servers or desktops in a safe and secure environment. This will add an extra step to make these connections but the security this gives is well worth the extra step.
Everyone knows we need firewalls but, as any good network admin will tell you, owning a firewall isn’t the same as getting the most out of your firewall. Your security posture has to adapt continuously to deal with the ever-shifting threat landscape and the emergence of new threats like advanced, worm-like ransomware. Modern firewalls are purpose-built to defend against these kinds of attacks, but they need to be given an opportunity to do their job. There are multiple methods of entry from a hackers standpoint these few currently being the most used:
- The “Over-Seas I.P.” Method: An American based company with multiple locations across the U.S. but has hosted backup services that originate in Russia. We are able to tell that an IP address is originating from Russia due to the placement of the octets (the first 3 numbers) in the I.P. address, no different than an area code. Firewalls are intelligent enough (with the correct upgrades/abilities) to constantly compare and identify where an IP address is coming from and the option to exclude or accept IP ranges for certain locations. So in this instance, we would set a rule that I.P. addresses trying to gain access can be from the certain geo-locations of where the business is located in the U.S> and the specific geo-location of the hosted backup services in Russia. All other I.P.’s are excluded. In order to avoid the overseas hackers being granted ANY type of access to the network, you need this feature enabled assuming your existing firewalls has the feature/capability.
- Common File Malware: While Wanna and Petya spread like worms, many ransomware variants leverage social engineering tricks through phishing email attacks, spam, or web downloads to gain entry to your network through more conventional means. These attacks often start as cleverly crafted malware lurking in common files like Microsoft Office documents, PDFs, or executables such as updates for common trusted applications. Hackers have become very effective at making these files seem benign or obfuscating the malware to get past traditional signature-based antivirus detection. As a result of this new breed of file-based malware, sandboxing technology has become an essential security layer at your network perimeter. Fortunately, cloud-based sandboxing typically doesn’t require any additional hardware or software deployment – it simply identifies suspect files at the gateway and sends them to a safe sandboxing infrastructure in the cloud to detonate active content and monitor the behavior over time. It can be extremely effective at blocking unknown threats like new ransomware attacks before they enter the network.
Best Practices for Firewall and Network Configuration:
It’s important to keep in mind that IPS, sandboxing and all other protection the firewall provides is only effective against traffic that is actually traversing the firewall and where suitable enforcement and protection policies are being applied to the firewall rules governing that traffic. So with that in mind, follow these best practices for preventing the spread of worm-like attacks on your network.
- Ensure you have the right protection: Including a modern high-performance nextgen firewall IPS engine and sandboxing solution.
- Reduce the surface area of attack; as much as possible by thoroughly reviewing and revisiting all port-forwarding rules to eliminate any non-essential open ports. Every open port represents a potential opening in your network. Where possible, use VPN to access resources on the internal network from outside rather than port-forwarding.
- Be sure to properly secure any open ports; by applying suitable IPS protection to the rules governing that traffic
- Apply sandboxing to web and email traffic; to ensure all suspicious active files coming in through web downloads and as email attachments are being suitably analyzed for malicious behavior before they get onto your network.
- Minimize the risk of lateral movement; within the network by segmenting LANs into smaller, isolated zones or VLANs that are secured and connected together by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments to prevent exploits, worms, and bots from spreading between LAN segments.
- Automatically isolate infected systems: When an infection hits, it’s important that your IT security solution be able to quickly identify compromised systems and automatically isolate them until they can be cleaned up (either automatically or through manual intervention)
Importance of Firewall Performance:
Ransomware, botnets, and other advanced attacks will often work their way through your entire IT infrastructure. A firewall that includes all the technology needed to help protect your organization from the latest attacks is well worth the investment considering the level of protection and security it provides. Upgrading to newer technology is expensive, the reason being mostly the amount of processing required to constantly compare lists of accepted and blocked I.P.’s while performing its other huge task list. This doesn’t mean that you need to rip out or replace your existing firewall and purchase the top of the line one right now. A lot of firewalls come with features capable of the requirements needed to take the proper security steps for protection but just aren’t utilized. If the feature isn’t actively available check to see if there’s an upgrade or patch. If these still don’t cover the needs, contact your CCSI account manager for a full rundown of your existing firewalls capabilities or options to implementing a firewall with the protection your business needs at a price you can afford.