SlideShare a Scribd company logo

Ransomware Prevention Guide

‱
‱
Brian Honan
Brian Honan

The document provides guidelines for preventing ransomware attacks, including recommendations to implement geo-blocking of suspicious domains and regions, block outgoing I2P traffic, regularly review and test backup processes, enhance email security with protocols like DMARC, review incident response processes, implement cybersecurity awareness training, ensure anti-virus software is up to date, apply all operating system and software patches, and deploy Windows AppLocker and EMET. The guidelines are intended to reduce the likelihood of ransomware infection by limiting communications with malicious actors and making systems more resilient through backups and other security measures.

Technology
1 of 9
Download to read offline
Ransomware Prevention Guidelines Version 1.0 Confidential Page 1 of 9 BH Consulting Stand and Deliver Your Money or Your Bytes A Guide on How to Prevent Ransomware
Ransomware Prevention Guidelines Version 1.0 Confidential Page 2 of 9 BH Consulting Introduction Ransomware is fast becoming a major threat to computer systems in many organisations. It is an aggressive form of attack which criminals use to infect computers and block the victim from accessing their own data unless they pay a ransom. Ransomware is not a new threat but has become more widely used among criminals simply because it is highly profitable. At its heart, ransomware is simply another form of a computer virus, albeit a very potent one. The methods it uses to infect a computer are the same ones other computer viruses employ. This document details several recommendations to help you in reducing the likelihood of future infection by ransomware, or indeed any other computer viruses or malware, against systems within your organisation. Note that each of these recommendations should be assessed for their applicability to your specific environment and you should conduct a thorough risk assessment to determine if the recommendations outlined in this document are suitable for your environment and are proportionate to the identified threat and risk.
Ransomware Prevention Guidelines Version 1.0 Confidential Page 3 of 9 BH Consulting Recommendations Implement Geo-Blocking for Suspicious Domains & Regions Criminals often host their infrastructure on domains in regions or countries that staff in your organisation would not regularly need to access. If there is no business requirement for staff in your organisation to access systems in these areas, you should consider configuring your firewalls to block all incoming and outgoing traffic to these domains and geographical areas. Block Outgoing I2P Traffic Ransomware often employs the Invisible Internet Project (I2P)1 which is an overlay network and darknet that allows applications to send messages to each other pseudonymously and securely. You should consider blocking all outgoing I2P and other unnecessary peer-to-peer network traffic at the firewalls on the perimeter of your network. This will prevent infected computers communicating with their masters and receiving further instructions. Review Backup Process One of the most effective ways to recover from a ransomware infection is to have a comprehensive and up-to-date backup in place. You should regularly review your backup processes to:  Ensure all relevant data is being backed up  Ensure the backups are completed successfully  Ensure the backup media is protected from being overwritten by ransomware  Implement the 3-2-1 backup rule. Have at least three copies of the most valuable data, keep two of them on different external media, and store one copy offsite. Conduct Regular Testing of Restore Process from Backup Tapes While backing up data is critical process, equally as important is the ability to restore the data successfully when needed. You should conduct regular tests to restore data from backups to:  Ensure the restore process works as expected  Ensure that data has been properly backed up  Ensure the data has not been modified or altered by ransomware  Ensure the timely recovery of critical data. Enhance Email Security with DMARC, SPF and DKIM By analysing publicly available information relating to an organisations email configuration, it is possible to see if Domain-based Message Authentication, Reporting & Conformance (DMARC2) is implemented. DMARC can help to reduce the amount of fraudulent email which may contain ransomware. Implementing DMARC also protects from other security risks such as phishing, spoofing and CEO fraud. It is recommended that you implement DMARC for your email systems.34 1 https://geti2p.net/ 2 https://dmarc.org/ 3 https://dmarc.globalcyberalliance.org/index.html 4 http://cert.europa.eu/static/WhitePapers/Updated-CERT-EU_Security_Whitepaper_DMARC_17- 001_v1_2.pdf
Ransomware Prevention Guidelines Version 1.0 Confidential Page 4 of 9 BH Consulting It is also recommended that you regularly review the email configuration of your email servers to ensure that it has properly configured Sender Policy Framework (SPF5), and DomainKeys Identified Mail (DKIM6) Review Your Incident Response Process You should develop a comprehensive Incident Response Process to include how to deal with ransomware infections. This process should include how incidents are prioritised, recorded, managed, remediated, recovered, and escalated where necessary. This process should also include:  Referring to the NoMoreRansom7 website to see if decryption keys are available for the ransomware being dealt with.  Understanding what conditions call for the issue to be reported to your local law enforcement agency. Refer to the Europol website to determine how you can report issues in your jurisdiction.  Understanding whether you will need to report an issue to relevant regulators. You should also develop a range of Standard Operating Procedures to manage security incidents. There are resources available from the European Union Agency for Network and Information Security (ENISA) in relation to incident response8. In addition, you should review the Incident Response Methodologies9 published by the Computer Emergency Response team for SociĂ©tĂ© GĂ©nĂ©rale. Implement a Robust Cybersecurity Awareness Training Programme Technical controls may not detect and contain all ransomware, or indeed all malware, especially given the rapidly evolving nature of these threats. In this event, the last line of defence is the end user who receives the email or browses the web. Therefore, it is essential that all users are properly empowered to identify security threats and deal with them accordingly. You should review your current security awareness training programme to ensure that it is appropriately resourced and that it targets all users. Although technical controls can minimise the risk posed by various threats, the human factor needs to be constantly managed. If people are not made aware of the threats posed to their systems or data, of the reasons why certain policies and controls are in place, or how to react to a suspect security breach, then the risk of a security breach occurring increases significantly. The security awareness programme should be tailored for the audience. For example, developers should have a different programme and focus on topic relevant to their role compared to the programme aimed at the sales and marketing function. Ensure Anti-Virus Software is Updated and All Features Enabled You should ensure that all PCs have up to date anti-virus software installed and that they are regularly updated with the latest software updates, virus signatures, and security features. In addition, you should ensure that the anti-virus suite deployed on all PCs has all the anti-malware features implemented so that any unusual behaviour that may indicate an infection can be quickly identified. Ensure All Operating System and Software Patches Are Applied You should ensure that all PCs have the latest operating system and software updates deployed and applied in a timely manner. You should investigate and implement a means to keep all PCs and laptops patched with the latest updates for all software applications installed on those computers. Disable ActiveX in Office Files 5 http://www.openspf.org/ 6 http://www.dkim.org/ 7 https://www.nomoreransom.org/ 8 https://www.enisa.europa.eu/topics/csirt-cert-services 9 https://cert.societegenerale.com/en/publications.html
Ransomware Prevention Guidelines Version 1.0 Confidential Page 5 of 9 BH Consulting You should disable ActiveX10 content in the Microsoft Office Suite of applications. Many computer viruses use macros to take advantage of ActiveX and download malware onto the affected PC. This would be particularly recommended to any organisation running devices with any Microsoft operating system earlier than Windows 10. Block Executable Files from the %APPData% and %TEMP% Paths You should look at methods to block executable files from the %APPDATA% and %TEMP% paths on computers with the Microsoft Windows Operating System installed. These folders are often used by malicious software to download and execute the files associated with ransomware and other malicious software. You could employ Software Restriction Policies1112 to protect systems from infection from the use of unauthorised software. Exclude files of the following types:  SCR  PIF  CPL  EXE  DLL  SYS  FON  EFI  OCX. Your PC should be configured to not allow executable files to be run from the following folders  Appdata  LocalAppData  Temp  ProgramData  Desktop It is strongly recommended that all policies are comprehensively tested before being deployed into a live environment. Deploy Windows AppLocker On computers installed with Microsoft Windows, you should consider deploying AppLocker13 to manage which applications can be run. AppLocker is a more advanced way than Software Restriction Policies for managing the applications users can access. It has several features that allow it to be centrally managed, for it to be tested more rigorously before deployment, and create exceptions to the rules. Deploy Microsoft EMET The Microsoft Enhanced Mitigation Experience Toolkit (EMET)14 is a free security utility which helps security vulnerabilities in software from being successfully exploited. They use security mitigation technologies as special protections and obstacles that an exploit author must defeat to take advantage of any software vulnerabilities. 10 https://support.office.com/en-ie/article/Enable-or-disable-ActiveX-settings-in-Office-files-f1303e08- a3f8-41c5-a17e-b0b8898743ed?ui=en-US&rs=en-IE&ad=IE 11 https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx 12 https://technet.microsoft.com/en-us/library/bb457006.aspx 13 https://technet.microsoft.com/en-us/library/dd759117 14 https://support.microsoft.com/en-ie/help/2458544/the-enhanced-mitigation-experience-toolkit
Ransomware Prevention Guidelines Version 1.0 Confidential Page 6 of 9 BH Consulting You should deploy EMET throughout your computer estate to reduce the likelihood of malicious software, or an attacker, exploiting a software vulnerability. Disable Macros in Office Files You should disable Macros15 in the Microsoft Office Suite of applications. Many computer viruses use Macros to download malware onto the affected PC. Improve Visibility of Security Events You should consider deploying a Security Information and Event Management (SIEM) solution to provide visibility into ongoing threats within your network. This SIEM solution could either be deployed internally, or if you do not have the required resources available, it could be outsourced to a Managed Security Service Provider that specialises in this area. Implement an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Solution A properly configured IDS/IPS solution can be a very effective platform to detect and manage threats on a network. You should initiate a project to ensure the IDS/IPS is fully and properly deployed and that it is regularly reviewed. Intrusion Detection/Intrusion Prevention models can be: Signature-Based: This is where patterns, or signatures, of known attacks are downloaded by the system. Network traffic is compared against these patterns to identify potential attacks. A disadvantage for signature-based detection is that it cannot detect new attacks because it only compares attacks against known signatures. Anomaly-Based: Intrusion Software first needs to learn the “normal” behaviour of your network and the types of traffic and network packets it usually handles. Then, it can be put in to action when traffic is detected that is out of the normal state. Rule-Based: Rule-based systems employ a set of rules or protocols defined as acceptable behaviour. The IDS analyses the behaviour of network traffic or application traffic and if it is deemed as normal behaviour it is allowed. If the traffic is outside the norm, then it is blocked. Establish Baseline Network Behaviour You should ensure that you have full visibility of how your network traffic behaves under normal business conditions. This knowledge can then be used as a baseline to identify any unusual activity which should then be investigated to determine whether it is the result of a potential breach or an issue with the network. Ensure User Access Control (UAC) is enabled on Windows User Access Control is a security feature built in to Windows Vista, 7, 8 and 10 which helps prevent unauthorised changes to a computer. Changes can be initiated by applications, viruses or other users. When UAC is enabled, it makes sure these changes are made only with approval from the person using the computer or by an administrator. Enable the Operating System to Show File Extensions 15 https://support.office.com/en-ie/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e- 174f-47e2-9611-9efe4f860b12
Ransomware Prevention Guidelines Version 1.0 Confidential Page 7 of 9 BH Consulting Attackers can trick users into running a file infected with a computer virus by appending a hidden extension to a filename. For example, a user receives a file called “Not Ransomware.jpg” but the file has a hidden extension of .EXE, thus making the actual filename “Not Ransomeware.jpg.exe”. The user, thinking the file is a picture, opens the file, but because the file is an executable (.exe) file the ransomware hidden in the file is launched. You should change the operating system to show Hidden File Extensions.16 Disable AutoPlay Windows’ AutoPlay feature begins reading from media as soon as it is inserted into a device. You should disable it when plugging in external media17 to reduce the chances of an attack infecting your device from that source. AutoPlay can also be disabled via Group Policy18. Implement User Behavioural Analytic (UBA) systems In line with the Network Baselining recommendation, you should implement a User Behavioural Analytic (UBA) system to identify any unusual or suspicious user activity on the network. Many ransomware infections can be quickly identified by the high rate of file system access to network shares as the ransomware encrypts the targeted files. UAB technologies could detect such activity and enable you to proactively react to a ransomware infection. Implement Ad Blocking Software At the Network Perimeter Ransomware can be deployed via compromised adverts displayed on websites. This can result in a computer becoming infected with ransomware simply by visiting a website that is displaying the malicious advert. To reduce the attack surface from this vector, you should consider implementing blocking software on your network’s firewall to prevent infections via infected advertising on websites. Implement Network Segmentation Consider segmenting your network to reduce the ability of computer worms, whether ransomware or otherwise, to spread rapidly from one system to another. This will give you the ability to cut off infected sections of the network and prevent the infection spreading further. Run Regular Phishing Tests You should run regular phishing simulations against staff to determine how many would potentially fall victim to such an attack. A phishing simulation is a tool to send fake emails to staff with an attachment or link to determine how many staff would click on the attachment or link. As most ransomware attacks are the result of phishing emails, this type of testing, combined with an effective cybersecurity awareness programme, can be quite effective in conditioning staff not to trust all emails and to be cautious when dealing with emails. You should aim to have the click-through rate of staff responding to the phishing simulations to be consistently below 15%, which is considered the industry recognised norm. 16 https://support.microsoft.com/en-ie/help/865219/how-to-show-or-hide-file-name-extensions-in- windows-explorer 17 https://blogs.technet.microsoft.com/danstolts/2012/02/how-to-turn-on-or-off-autoplay-features-in- windows-7change-what-programs-and-media-are-used-in-autoplay/ 18 https://support.microsoft.com/en-ie/help/2328787/disabling-autoplay-through-group-policy-or-the- registry-will-cause-hotstart-buttons-to-not-function-on-microsoft-windows-7-and-microsoft-windows- vista
Ransomware Prevention Guidelines Version 1.0 Confidential Page 8 of 9 BH Consulting Staff who consistently fail the phishing simulations should be given additional security awareness training and/or have additional technical controls and restrictions placed on their systems. Ensure Appropriate Training for Technical Staff You should develop a technical training programme to ensure that technical staff have the relevant training to enable them to confidently manage the various security platforms installed in your environment. Upgrade to Latest Version of Windows You should upgrade computers with Microsoft Windows installed on them to the latest version of the operating system. At the time of writing, Windows 10 Professional is now considered to be one of the most secure desktop operating systems19. Implement Threat Intelligence You should subscribe to reliable threat intelligence services which would provide you with Indicators of Compromise (IoCs) and other data which could be used to identify malware threats within your network. These will regularly update you with details of malicious and suspicious URLs, domains, and IP addresses on the internet, to which you can then block access from your network. Although several of these threat intelligence services are commercial and require a subscription, there are open source options available such as the Malware Information Sharing Project (MISP)20. This is a free threat sharing platform which enables organisations to share information on security incidents to help other organisations better protect themselves. Deploy Honeypots You should deploy honeypots on your network to help you proactively detect an intrusion on your network, including intrusions relating to ransomware. A honeypot system is a decoy set up to look like a live system; any activity on it could be a strong indicator that the network is compromised. Honeypots can be an effective tool if used correctly, however caution is advised when working with honeypots to ensure they do not adversely impact your environment or be compromised by attackers to attack other systems within your network, or indeed systems external to your organisation. ENISA has a very good paper on how best to deploy honeypots21. Implement appropriate Rights/Permissions for users You should create and maintain users’ rights and permission sets within their network operating system. Users should only be issued the rights/permissions required for their job role. If they change role within the organisation, then their rights/permissions need to change accordingly. Monitor Domain Name System (DNS) Logs for Unusual Activity The DNS servers have logs which contain records of all the domains and networks accessed by devices on your network. Regular monitoring of the DNS server logs could identify traffic being relayed to or from unusual hosts which may not be associated with normal business activity. This unusual traffic could indicate a malware infection. 19 https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day- exploit-mitigations/ 20 http://www.misp-project.org/index.html 21 https://www.enisa.europa.eu/topics/csirt-cert-services/proactive-services/proactive-detection
Ransomware Prevention Guidelines Version 1.0 Confidential Page 9 of 9 BH Consulting Review Security of Mobile Devices You should note that ransomware is migrating towards mobile devices22 such as smartphones and tablets, and it would be prudent for you to review the security of mobile devices to include:  Ensuring anti-malware software is installed, running, and regularly updated on mobile devices  Software and operating system patches are applied in a timely manner  Sensitive data is backed up from mobile devices. 22 https://us.norton.com/internetsecurity-mobile-what-is-mobile-ransomware.html

Recommended

Ransomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryRansomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive Summary
Bright Technology
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
Lumension
 
Malicious software
Malicious softwareMalicious software
Malicious software
CAS
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
Education
 
Ch19
Ch19Ch19
Ch19
saurabhmittal79
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
What is Ransomware? How You Can Protect Your System
What is Ransomware? How You Can Protect Your SystemWhat is Ransomware? How You Can Protect Your System
What is Ransomware? How You Can Protect Your System
ClickSSL
 
Ransomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and MitigationRansomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and Mitigation
Maaz Ahmed Shaikh
 

Recommended

Ransomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive SummaryRansomware - Information And Protection Guide - Executive Summary
Ransomware - Information And Protection Guide - Executive Summary
Bright Technology
 
It's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint SecurityIt's Your Move: The Changing Game of Endpoint Security
It's Your Move: The Changing Game of Endpoint Security
Lumension
 
Malicious software
Malicious softwareMalicious software
Malicious software
CAS
 
Lecture 3
Lecture 3Lecture 3
Lecture 3
Education
 
Ch19
Ch19Ch19
Ch19
saurabhmittal79
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from Patents
Alex G. Lee, Ph.D. Esq. CLP
 
What is Ransomware? How You Can Protect Your System
What is Ransomware? How You Can Protect Your SystemWhat is Ransomware? How You Can Protect Your System
What is Ransomware? How You Can Protect Your System
ClickSSL
 
Ransomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and MitigationRansomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and Mitigation
Maaz Ahmed Shaikh
 
Preventing lateral spread of ransomware
Preventing lateral spread of ransomwarePreventing lateral spread of ransomware
Preventing lateral spread of ransomware
Osirium Limited
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
Lumension
 
Ransomware: A Perilous Malware
Ransomware: A Perilous MalwareRansomware: A Perilous Malware
Ransomware: A Perilous Malware
HTS Hosting
 
Ransomware
RansomwareRansomware
Ransomware
Manashay raju Yannapu CEH,ITIL,CCNA
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
Computer virus
Computer virusComputer virus
Computer virus
Flora Runyenje
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File Inclusion
Imperva
 
Computer virus
Computer virusComputer virus
Computer virus
Ankita Shirke
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus software
khalid umer
 
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
OK2OK
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Katherine Duffy
 
Application'sand security
Application'sand securityApplication'sand security
Application'sand securityarun nalam
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Program security
Program securityProgram security
Program security
G Prachi
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus software
Shreya Singireddy
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and Antiviruses
Vikas Chandwani
 
Virus and types of antivirus
Virus and types of antivirusVirus and types of antivirus
Virus and types of antivirus
Shabnam Bashir
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
How to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudHow to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the Cloud
Nordic Backup
 
In computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfIn computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdf
anandanand521251
 
Ransomware
RansomwareRansomware
Ransomwarem3 Networks Limited
 

More Related Content

What's hot

Preventing lateral spread of ransomware
Preventing lateral spread of ransomwarePreventing lateral spread of ransomware
Preventing lateral spread of ransomware
Osirium Limited
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
Lumension
 
Ransomware: A Perilous Malware
Ransomware: A Perilous MalwareRansomware: A Perilous Malware
Ransomware: A Perilous Malware
HTS Hosting
 
Ransomware
RansomwareRansomware
Ransomware
Manashay raju Yannapu CEH,ITIL,CCNA
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
Computer virus
Computer virusComputer virus
Computer virus
Flora Runyenje
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File Inclusion
Imperva
 
Computer virus
Computer virusComputer virus
Computer virus
Ankita Shirke
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus software
khalid umer
 
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
OK2OK
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Katherine Duffy
 
Application'sand security
Application'sand securityApplication'sand security
Application'sand securityarun nalam
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Program security
Program securityProgram security
Program security
G Prachi
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus software
Shreya Singireddy
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and Antiviruses
Vikas Chandwani
 
Virus and types of antivirus
Virus and types of antivirusVirus and types of antivirus
Virus and types of antivirus
Shabnam Bashir
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
How to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudHow to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the Cloud
Nordic Backup
 

What's hot (20)

Preventing lateral spread of ransomware
Preventing lateral spread of ransomwarePreventing lateral spread of ransomware
Preventing lateral spread of ransomware
 
The Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day RealityThe Role of Application Control in a Zero-Day Reality
The Role of Application Control in a Zero-Day Reality
 
Ransomware: A Perilous Malware
Ransomware: A Perilous MalwareRansomware: A Perilous Malware
Ransomware: A Perilous Malware
 
Ransomware
RansomwareRansomware
Ransomware
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
Computer virus
Computer virusComputer virus
Computer virus
 
Remote File Inclusion
Remote File InclusionRemote File Inclusion
Remote File Inclusion
 
Computer virus
Computer virusComputer virus
Computer virus
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus software
 
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
 
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICESRansomware Response Guide IBM INCIDENT RESPONSE SERVICES
Ransomware Response Guide IBM INCIDENT RESPONSE SERVICES
 
Application'sand security
Application'sand securityApplication'sand security
Application'sand security
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Program security
Program securityProgram security
Program security
 
Antivirus software
Antivirus softwareAntivirus software
Antivirus software
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Firewall , Viruses and Antiviruses
Firewall , Viruses and AntivirusesFirewall , Viruses and Antiviruses
Firewall , Viruses and Antiviruses
 
Virus and types of antivirus
Virus and types of antivirusVirus and types of antivirus
Virus and types of antivirus
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
How to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudHow to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the Cloud
 

Similar to Ransomware Prevention Guide

In computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfIn computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdf
anandanand521251
 
Cyber Incident Response Proposed Strategies
Cyber Incident Response Proposed StrategiesCyber Incident Response Proposed Strategies
Cyber Incident Response Proposed Strategies
Dam Frank
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseLumension
 
Vulnerability , Malware and Risk
Vulnerability , Malware and RiskVulnerability , Malware and Risk
Vulnerability , Malware and Risk
SecPod Technologies
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
IRJET Journal
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
ITPG Secure Compliance and Certification Training
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antiviruses
Alireza Ghahrood
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
TechSoup
 
Vulnerability Malware And Risk
Vulnerability Malware And RiskVulnerability Malware And Risk
Vulnerability Malware And Risk
Chandrashekhar B
 
Endpoint security
Endpoint securityEndpoint security
Endpoint security
S.M. Towhidul Islam
 
Cybersafety basics
Cybersafety basicsCybersafety basics
Cybersafety basics
jeeva9948
 
185
185185
185
vivatechijri
 
Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09technext1
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From MalwareRishu Mehra
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
MohamedOmerMusa
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
edgar6wallace88877
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
fathwaitewalter
 
Advanced Endpoint Protection
Advanced Endpoint ProtectionAdvanced Endpoint Protection
Advanced Endpoint Protection
Mustafa YÜKSEL
 
An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)
Cyber Security Infotech
 

Similar to Ransomware Prevention Guide (20)

In computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdfIn computer security, a vulnerability is a weakness which allows an .pdf
In computer security, a vulnerability is a weakness which allows an .pdf
 
Ransomware
RansomwareRansomware
Ransomware
 
Cyber Incident Response Proposed Strategies
Cyber Incident Response Proposed StrategiesCyber Incident Response Proposed Strategies
Cyber Incident Response Proposed Strategies
 
Key Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your EnterpriseKey Strategies to Address Rising Application Risk in Your Enterprise
Key Strategies to Address Rising Application Risk in Your Enterprise
 
Vulnerability , Malware and Risk
Vulnerability , Malware and RiskVulnerability , Malware and Risk
Vulnerability , Malware and Risk
 
Ransomeware : A High Profile Attack
Ransomeware : A High Profile AttackRansomeware : A High Profile Attack
Ransomeware : A High Profile Attack
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
 
Cscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antivirusesCscu module 03 protecting systems using antiviruses
Cscu module 03 protecting systems using antiviruses
 
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?Cyberattacks on the Rise: Is Your Nonprofit Prepared?
Cyberattacks on the Rise: Is Your Nonprofit Prepared?
 
Vulnerability Malware And Risk
Vulnerability Malware And RiskVulnerability Malware And Risk
Vulnerability Malware And Risk
 
Endpoint security
Endpoint securityEndpoint security
Endpoint security
 
Cybersafety basics
Cybersafety basicsCybersafety basics
Cybersafety basics
 
185
185185
185
 
Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09Protecting Windows Networks From Malware 31 Jan09
Protecting Windows Networks From Malware 31 Jan09
 
Protecting Windows Networks From Malware
Protecting Windows Networks From MalwareProtecting Windows Networks From Malware
Protecting Windows Networks From Malware
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
 
Security and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docxSecurity and Ethical Challenges Contributors Kim Wanders.docx
Security and Ethical Challenges Contributors Kim Wanders.docx
 
Advanced Endpoint Protection
Advanced Endpoint ProtectionAdvanced Endpoint Protection
Advanced Endpoint Protection
 
An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)An introduction to cyber security by cyber security infotech pvt ltd(csi)
An introduction to cyber security by cyber security infotech pvt ltd(csi)
 

More from Brian Honan

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynote
Brian Honan
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?
Brian Honan
 
Brian honan
Brian honanBrian honan
Brian honan
Brian Honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
Brian Honan
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
Brian Honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Brian Honan
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the Cloud
Brian Honan
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Brian Honan
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gap
Brian Honan
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
Brian Honan
 
Learning from History
Learning from HistoryLearning from History
Learning from History
Brian Honan
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloud
Brian Honan
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident Response
Brian Honan
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
Brian Honan
 
Cloud security
Cloud securityCloud security
Cloud security
Brian Honan
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Brian Honan
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP Speed
Brian Honan
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
Brian Honan
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
Brian Honan
 
Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
Brian Honan
 

More from Brian Honan (20)

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynote
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?
 
Brian honan
Brian honanBrian honan
Brian honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the Cloud
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gap
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Learning from History
Learning from HistoryLearning from History
Learning from History
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloud
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident Response
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
Cloud security
Cloud securityCloud security
Cloud security
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP Speed
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
 
Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
 

Recently uploaded

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

Ransomware Prevention Guide

  • 1. Ransomware Prevention Guidelines Version 1.0 Confidential Page 1 of 9 BH Consulting Stand and Deliver Your Money or Your Bytes A Guide on How to Prevent Ransomware
  • 2. Ransomware Prevention Guidelines Version 1.0 Confidential Page 2 of 9 BH Consulting Introduction Ransomware is fast becoming a major threat to computer systems in many organisations. It is an aggressive form of attack which criminals use to infect computers and block the victim from accessing their own data unless they pay a ransom. Ransomware is not a new threat but has become more widely used among criminals simply because it is highly profitable. At its heart, ransomware is simply another form of a computer virus, albeit a very potent one. The methods it uses to infect a computer are the same ones other computer viruses employ. This document details several recommendations to help you in reducing the likelihood of future infection by ransomware, or indeed any other computer viruses or malware, against systems within your organisation. Note that each of these recommendations should be assessed for their applicability to your specific environment and you should conduct a thorough risk assessment to determine if the recommendations outlined in this document are suitable for your environment and are proportionate to the identified threat and risk.
  • 3. Ransomware Prevention Guidelines Version 1.0 Confidential Page 3 of 9 BH Consulting Recommendations Implement Geo-Blocking for Suspicious Domains & Regions Criminals often host their infrastructure on domains in regions or countries that staff in your organisation would not regularly need to access. If there is no business requirement for staff in your organisation to access systems in these areas, you should consider configuring your firewalls to block all incoming and outgoing traffic to these domains and geographical areas. Block Outgoing I2P Traffic Ransomware often employs the Invisible Internet Project (I2P)1 which is an overlay network and darknet that allows applications to send messages to each other pseudonymously and securely. You should consider blocking all outgoing I2P and other unnecessary peer-to-peer network traffic at the firewalls on the perimeter of your network. This will prevent infected computers communicating with their masters and receiving further instructions. Review Backup Process One of the most effective ways to recover from a ransomware infection is to have a comprehensive and up-to-date backup in place. You should regularly review your backup processes to:  Ensure all relevant data is being backed up  Ensure the backups are completed successfully  Ensure the backup media is protected from being overwritten by ransomware  Implement the 3-2-1 backup rule. Have at least three copies of the most valuable data, keep two of them on different external media, and store one copy offsite. Conduct Regular Testing of Restore Process from Backup Tapes While backing up data is critical process, equally as important is the ability to restore the data successfully when needed. You should conduct regular tests to restore data from backups to:  Ensure the restore process works as expected  Ensure that data has been properly backed up  Ensure the data has not been modified or altered by ransomware  Ensure the timely recovery of critical data. Enhance Email Security with DMARC, SPF and DKIM By analysing publicly available information relating to an organisations email configuration, it is possible to see if Domain-based Message Authentication, Reporting & Conformance (DMARC2) is implemented. DMARC can help to reduce the amount of fraudulent email which may contain ransomware. Implementing DMARC also protects from other security risks such as phishing, spoofing and CEO fraud. It is recommended that you implement DMARC for your email systems.34 1 https://geti2p.net/ 2 https://dmarc.org/ 3 https://dmarc.globalcyberalliance.org/index.html 4 http://cert.europa.eu/static/WhitePapers/Updated-CERT-EU_Security_Whitepaper_DMARC_17- 001_v1_2.pdf
  • 4. Ransomware Prevention Guidelines Version 1.0 Confidential Page 4 of 9 BH Consulting It is also recommended that you regularly review the email configuration of your email servers to ensure that it has properly configured Sender Policy Framework (SPF5), and DomainKeys Identified Mail (DKIM6) Review Your Incident Response Process You should develop a comprehensive Incident Response Process to include how to deal with ransomware infections. This process should include how incidents are prioritised, recorded, managed, remediated, recovered, and escalated where necessary. This process should also include:  Referring to the NoMoreRansom7 website to see if decryption keys are available for the ransomware being dealt with.  Understanding what conditions call for the issue to be reported to your local law enforcement agency. Refer to the Europol website to determine how you can report issues in your jurisdiction.  Understanding whether you will need to report an issue to relevant regulators. You should also develop a range of Standard Operating Procedures to manage security incidents. There are resources available from the European Union Agency for Network and Information Security (ENISA) in relation to incident response8. In addition, you should review the Incident Response Methodologies9 published by the Computer Emergency Response team for SociĂ©tĂ© GĂ©nĂ©rale. Implement a Robust Cybersecurity Awareness Training Programme Technical controls may not detect and contain all ransomware, or indeed all malware, especially given the rapidly evolving nature of these threats. In this event, the last line of defence is the end user who receives the email or browses the web. Therefore, it is essential that all users are properly empowered to identify security threats and deal with them accordingly. You should review your current security awareness training programme to ensure that it is appropriately resourced and that it targets all users. Although technical controls can minimise the risk posed by various threats, the human factor needs to be constantly managed. If people are not made aware of the threats posed to their systems or data, of the reasons why certain policies and controls are in place, or how to react to a suspect security breach, then the risk of a security breach occurring increases significantly. The security awareness programme should be tailored for the audience. For example, developers should have a different programme and focus on topic relevant to their role compared to the programme aimed at the sales and marketing function. Ensure Anti-Virus Software is Updated and All Features Enabled You should ensure that all PCs have up to date anti-virus software installed and that they are regularly updated with the latest software updates, virus signatures, and security features. In addition, you should ensure that the anti-virus suite deployed on all PCs has all the anti-malware features implemented so that any unusual behaviour that may indicate an infection can be quickly identified. Ensure All Operating System and Software Patches Are Applied You should ensure that all PCs have the latest operating system and software updates deployed and applied in a timely manner. You should investigate and implement a means to keep all PCs and laptops patched with the latest updates for all software applications installed on those computers. Disable ActiveX in Office Files 5 http://www.openspf.org/ 6 http://www.dkim.org/ 7 https://www.nomoreransom.org/ 8 https://www.enisa.europa.eu/topics/csirt-cert-services 9 https://cert.societegenerale.com/en/publications.html
  • 5. Ransomware Prevention Guidelines Version 1.0 Confidential Page 5 of 9 BH Consulting You should disable ActiveX10 content in the Microsoft Office Suite of applications. Many computer viruses use macros to take advantage of ActiveX and download malware onto the affected PC. This would be particularly recommended to any organisation running devices with any Microsoft operating system earlier than Windows 10. Block Executable Files from the %APPData% and %TEMP% Paths You should look at methods to block executable files from the %APPDATA% and %TEMP% paths on computers with the Microsoft Windows Operating System installed. These folders are often used by malicious software to download and execute the files associated with ransomware and other malicious software. You could employ Software Restriction Policies1112 to protect systems from infection from the use of unauthorised software. Exclude files of the following types:  SCR  PIF  CPL  EXE  DLL  SYS  FON  EFI  OCX. Your PC should be configured to not allow executable files to be run from the following folders  Appdata  LocalAppData  Temp  ProgramData  Desktop It is strongly recommended that all policies are comprehensively tested before being deployed into a live environment. Deploy Windows AppLocker On computers installed with Microsoft Windows, you should consider deploying AppLocker13 to manage which applications can be run. AppLocker is a more advanced way than Software Restriction Policies for managing the applications users can access. It has several features that allow it to be centrally managed, for it to be tested more rigorously before deployment, and create exceptions to the rules. Deploy Microsoft EMET The Microsoft Enhanced Mitigation Experience Toolkit (EMET)14 is a free security utility which helps security vulnerabilities in software from being successfully exploited. They use security mitigation technologies as special protections and obstacles that an exploit author must defeat to take advantage of any software vulnerabilities. 10 https://support.office.com/en-ie/article/Enable-or-disable-ActiveX-settings-in-Office-files-f1303e08- a3f8-41c5-a17e-b0b8898743ed?ui=en-US&rs=en-IE&ad=IE 11 https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx 12 https://technet.microsoft.com/en-us/library/bb457006.aspx 13 https://technet.microsoft.com/en-us/library/dd759117 14 https://support.microsoft.com/en-ie/help/2458544/the-enhanced-mitigation-experience-toolkit
  • 6. Ransomware Prevention Guidelines Version 1.0 Confidential Page 6 of 9 BH Consulting You should deploy EMET throughout your computer estate to reduce the likelihood of malicious software, or an attacker, exploiting a software vulnerability. Disable Macros in Office Files You should disable Macros15 in the Microsoft Office Suite of applications. Many computer viruses use Macros to download malware onto the affected PC. Improve Visibility of Security Events You should consider deploying a Security Information and Event Management (SIEM) solution to provide visibility into ongoing threats within your network. This SIEM solution could either be deployed internally, or if you do not have the required resources available, it could be outsourced to a Managed Security Service Provider that specialises in this area. Implement an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Solution A properly configured IDS/IPS solution can be a very effective platform to detect and manage threats on a network. You should initiate a project to ensure the IDS/IPS is fully and properly deployed and that it is regularly reviewed. Intrusion Detection/Intrusion Prevention models can be: Signature-Based: This is where patterns, or signatures, of known attacks are downloaded by the system. Network traffic is compared against these patterns to identify potential attacks. A disadvantage for signature-based detection is that it cannot detect new attacks because it only compares attacks against known signatures. Anomaly-Based: Intrusion Software first needs to learn the “normal” behaviour of your network and the types of traffic and network packets it usually handles. Then, it can be put in to action when traffic is detected that is out of the normal state. Rule-Based: Rule-based systems employ a set of rules or protocols defined as acceptable behaviour. The IDS analyses the behaviour of network traffic or application traffic and if it is deemed as normal behaviour it is allowed. If the traffic is outside the norm, then it is blocked. Establish Baseline Network Behaviour You should ensure that you have full visibility of how your network traffic behaves under normal business conditions. This knowledge can then be used as a baseline to identify any unusual activity which should then be investigated to determine whether it is the result of a potential breach or an issue with the network. Ensure User Access Control (UAC) is enabled on Windows User Access Control is a security feature built in to Windows Vista, 7, 8 and 10 which helps prevent unauthorised changes to a computer. Changes can be initiated by applications, viruses or other users. When UAC is enabled, it makes sure these changes are made only with approval from the person using the computer or by an administrator. Enable the Operating System to Show File Extensions 15 https://support.office.com/en-ie/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e- 174f-47e2-9611-9efe4f860b12
  • 7. Ransomware Prevention Guidelines Version 1.0 Confidential Page 7 of 9 BH Consulting Attackers can trick users into running a file infected with a computer virus by appending a hidden extension to a filename. For example, a user receives a file called “Not Ransomware.jpg” but the file has a hidden extension of .EXE, thus making the actual filename “Not Ransomeware.jpg.exe”. The user, thinking the file is a picture, opens the file, but because the file is an executable (.exe) file the ransomware hidden in the file is launched. You should change the operating system to show Hidden File Extensions.16 Disable AutoPlay Windows’ AutoPlay feature begins reading from media as soon as it is inserted into a device. You should disable it when plugging in external media17 to reduce the chances of an attack infecting your device from that source. AutoPlay can also be disabled via Group Policy18. Implement User Behavioural Analytic (UBA) systems In line with the Network Baselining recommendation, you should implement a User Behavioural Analytic (UBA) system to identify any unusual or suspicious user activity on the network. Many ransomware infections can be quickly identified by the high rate of file system access to network shares as the ransomware encrypts the targeted files. UAB technologies could detect such activity and enable you to proactively react to a ransomware infection. Implement Ad Blocking Software At the Network Perimeter Ransomware can be deployed via compromised adverts displayed on websites. This can result in a computer becoming infected with ransomware simply by visiting a website that is displaying the malicious advert. To reduce the attack surface from this vector, you should consider implementing blocking software on your network’s firewall to prevent infections via infected advertising on websites. Implement Network Segmentation Consider segmenting your network to reduce the ability of computer worms, whether ransomware or otherwise, to spread rapidly from one system to another. This will give you the ability to cut off infected sections of the network and prevent the infection spreading further. Run Regular Phishing Tests You should run regular phishing simulations against staff to determine how many would potentially fall victim to such an attack. A phishing simulation is a tool to send fake emails to staff with an attachment or link to determine how many staff would click on the attachment or link. As most ransomware attacks are the result of phishing emails, this type of testing, combined with an effective cybersecurity awareness programme, can be quite effective in conditioning staff not to trust all emails and to be cautious when dealing with emails. You should aim to have the click-through rate of staff responding to the phishing simulations to be consistently below 15%, which is considered the industry recognised norm. 16 https://support.microsoft.com/en-ie/help/865219/how-to-show-or-hide-file-name-extensions-in- windows-explorer 17 https://blogs.technet.microsoft.com/danstolts/2012/02/how-to-turn-on-or-off-autoplay-features-in- windows-7change-what-programs-and-media-are-used-in-autoplay/ 18 https://support.microsoft.com/en-ie/help/2328787/disabling-autoplay-through-group-policy-or-the- registry-will-cause-hotstart-buttons-to-not-function-on-microsoft-windows-7-and-microsoft-windows- vista
  • 8. Ransomware Prevention Guidelines Version 1.0 Confidential Page 8 of 9 BH Consulting Staff who consistently fail the phishing simulations should be given additional security awareness training and/or have additional technical controls and restrictions placed on their systems. Ensure Appropriate Training for Technical Staff You should develop a technical training programme to ensure that technical staff have the relevant training to enable them to confidently manage the various security platforms installed in your environment. Upgrade to Latest Version of Windows You should upgrade computers with Microsoft Windows installed on them to the latest version of the operating system. At the time of writing, Windows 10 Professional is now considered to be one of the most secure desktop operating systems19. Implement Threat Intelligence You should subscribe to reliable threat intelligence services which would provide you with Indicators of Compromise (IoCs) and other data which could be used to identify malware threats within your network. These will regularly update you with details of malicious and suspicious URLs, domains, and IP addresses on the internet, to which you can then block access from your network. Although several of these threat intelligence services are commercial and require a subscription, there are open source options available such as the Malware Information Sharing Project (MISP)20. This is a free threat sharing platform which enables organisations to share information on security incidents to help other organisations better protect themselves. Deploy Honeypots You should deploy honeypots on your network to help you proactively detect an intrusion on your network, including intrusions relating to ransomware. A honeypot system is a decoy set up to look like a live system; any activity on it could be a strong indicator that the network is compromised. Honeypots can be an effective tool if used correctly, however caution is advised when working with honeypots to ensure they do not adversely impact your environment or be compromised by attackers to attack other systems within your network, or indeed systems external to your organisation. ENISA has a very good paper on how best to deploy honeypots21. Implement appropriate Rights/Permissions for users You should create and maintain users’ rights and permission sets within their network operating system. Users should only be issued the rights/permissions required for their job role. If they change role within the organisation, then their rights/permissions need to change accordingly. Monitor Domain Name System (DNS) Logs for Unusual Activity The DNS servers have logs which contain records of all the domains and networks accessed by devices on your network. Regular monitoring of the DNS server logs could identify traffic being relayed to or from unusual hosts which may not be associated with normal business activity. This unusual traffic could indicate a malware infection. 19 https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day- exploit-mitigations/ 20 http://www.misp-project.org/index.html 21 https://www.enisa.europa.eu/topics/csirt-cert-services/proactive-services/proactive-detection
  • 9. Ransomware Prevention Guidelines Version 1.0 Confidential Page 9 of 9 BH Consulting Review Security of Mobile Devices You should note that ransomware is migrating towards mobile devices22 such as smartphones and tablets, and it would be prudent for you to review the security of mobile devices to include:  Ensuring anti-malware software is installed, running, and regularly updated on mobile devices  Software and operating system patches are applied in a timely manner  Sensitive data is backed up from mobile devices. 22 https://us.norton.com/internetsecurity-mobile-what-is-mobile-ransomware.html