Ransomware and the NHS attack
Ransomware is not a new phenomenon. However it takes something like the NHS hack to really highlight quite how damaging it can be. If an organisation as large and security obsessed as the NHS can be hit then how do smaller organisations protect themselves?
“More than 4,000 ransomware attacks have occurred every day since the beginning of 2016.” – CCIPS
There is no doubt that these types of viruses can be damaging to businesses of all size. There are however a number of steps that businesses can take to both protect themselves in the first place and minimise the impact of any infection.
“54% of UK companies hit” – Malwarebytes
Policies and training make up the backbone of an IT security program. It would be foolish to think that technology alone is enough to prevent infections or data breaches. There is no magic button you can press that will instantly prevent anything nasty happening to your network. Security comes down to careful planning, preparation, and planning and these things take time and commitment. A clear and concise IT policy is a great start. It can help clarify a company’s position on security, help inform staff on what is and is not expected of them and ensure that risks are clearly communicated to users of the network.
- Have an IT policy that defines what is and is not an acceptable use of the IT system.
- Ensure that staff receive training on security issues and have read and understand the policies.
- Ensure that policies are followed at all times with no exceptions – even by management. Management often have the greatest access to data and yet take security the least seriously. It sets a bad example if management flaunt the rules and staff will quickly determine security is not as much of an issue as has been made out.
- Ensure that if something does happen, and a breach does occur, that staff know how to react quickly and appropriately.
The perimeter of your network can be seen as the external fortification of your IT system. It is what separates your internal network (your servers and computers) from the wider internet. In days gone by the perimeter of your network was more clearly defined. Computers and servers lay within the perimeter; everything else outside. With smart-phones, bring your own device, remote workers and cloud computing the perimeter has become significantly more amorphous. The perimeter is however, still a critically important concept.
- Ensure you have a firewall in place and ideally a full UTM device (unified threat management) such as a WatchGuard. This will actively filter traffic as it passes through it rather than just allowing it or blocking it. A UTM will also look for signs of an attack and inform the appropriate people.
- Ensure you have a spam filter in place to identify and remove malicious emails before they reach users. No filter is 100% effective but they can significantly reduce the number of malicious emails that make it through to users inboxes.
“In 2016 40% of all spam email had ransomware” – IBM
- Ensure that there is an enforced policy on how USB storage devices are used. Do not allow staff to use their own devices or attach unauthorised devices to the network.
- Consider web-filtering if users do not need to access the entire internet to perform their job function. Do not allow personal use of the internet – even at lunch. Users invariably have smart-phones they can use for that and if needed a guest WIFI or guest computers should be provided.
- Closely monitor the use of remote access to those that require it and ensure that access is granted only to those systems that are needed at the time.
Internal protection measures are those measures you should take within your network. These either help to prevent infection in the first place or limit the spread of an infection should the worst happen.
It would be foolish to assume that perimeter security is always going to be completely effective. By operating a layered approach to security you make life as difficult as possible for would be hackers and give yourself extra time to deal with the results of an infection.
“Attacks expected to double in 2017” – Beazley via SC Magazine
- Ensure that machines are updated with Windows updates but also software updates such as Java and Adobe.
- Ensure machines are running up to date anti-virus software.
- Ensure your anti-virus software is monitored so infections are spotted quickly.
- Older machines running operating systems that are beyond their support window (such as Windows XP) should be considered an immediate threat that CANNOT be secured.
- Consider running all machines without local admin rights for day-to-day users.
- Servers should be set up such that files are only accessible by those that absolutely need access to them. This minimises the risk should a user’s machine become infected.
Lastly, even companies with huge IT security budgets can still pick up infections. The final bastion against any hack or infection is a good backup. Backup is critically important – we cannot say this enough. Without a decent backup of data paying the ransom may be the only viable option for recovery of data. With a decent backup, a ransomware infection becomes an inconvenience rather than a complete disaster.
“70% of businesses paid the ransom” – IBM
- Ensure you have a backup of ALL your critical data – be that data stored on your server or individual PCs.
- Ensure your backup is rotated regularly and that one copy is always offline. A backup to a networked device, such as a NAS, is a nice part of a layered backup strategy but should not be considered fool proof. If a virus can infect your server it can also infect any networked devices.
- If swapping of backups is problematic, or unlikely to occur regularly, consider an automated cloud backup system.
- Ideally have multiple layered backups. This maximises your chance of a successful backup and ensures that different data types are dealt with in an appropriate manner.
- Ensure that backups are monitored so if there is an issue it is picked up early and remedied.
- Consider how long you could be without your IT system and choose your backup appropriately. If 24-48 hours is too long then you need to consider a backup system that has a business continuity function.
“Most businesses face at least 2 days of downtime” – Intermedia and Aberdeen Group
Remember IT security does not just happen. Equally, IT security is not the job of just one or two individuals. IT security is the job of the entire organisation!