Tuesday, April 05, 2016

You Really Got Me

Late last week, in an almost unprecedented joint warning by the US and Canadian Governments, we were treated to an almost apocalyptic notice about the latest scourge of the internet, ransomware.
You know what? It is about time. The threat of someone holding your data encrypted and only giving it back if you send them money is thuggery at its lowest. "Nice data youse got there. It would be a shame it sometin' was to happen to it, eh?"
The simple truth is that the entire vector of this particularly venal form of malware is through social engineering, better known as the junction between poor training and simple human error. Nearly every reported instance of ransomware has been invited in by someone clicking on a email attachment. Every one.
Here's the recommendation from the very smart guys at US-CERT:
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits andSafeguarding Your Data for additional details.
What this leaves out is that very important protection: user training. It is vitally important that your personnel be trained regularly in security awareness and the many, many methods of social engineering. Once a year, to check off some compliance form is not enough. To be truly effective, there needs to be at least quarterly, interesting, and really scary training that keeps how important maintaining constant vigilance is at the forefront of your users' attention. Supplement this with reminders like calendars, screen savers and posters. Make it a part of the fabric of everyday work flow. Have everyone repeating the mantra that Security is Everyone's Responsibility. Because it is, and it is past time that we stop relying on technical controls and blaming the poor security guy (if we even have one!) when things go seriously south, and some Romanian asshat has locked us out of our system and wants $6000.00 to free us from our own stupidity.

No comments: