Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Ransomware protection -- what you may be missing

Robert C. Covington | July 26, 2016
Unless you have been living on a remote island with no internet access, you are no doubt familiar with ransomware.

Test your backups

A good backup can be your ticket to recovery from a ransomware attack without having to write a big check. The problem however is that an untested backup may turn out to be useless when really needed. It possible to go for months without realizing that your backup process is failing.

The only way to make sure they are ready when you need them is to test them. This involves restoring some percentage of your files from backup on a periodic basis, and confirming that the restored files are usable and correct. While testing is a critical aspect of the backup process, it is often overlooked, even by large companies.

Use intrusion prevention

Intrusion Prevention Systems (IPS), that monitor network traffic looking for attempts to exploit vulnerabilities, can be a valuable weapon in the fight against ransomware. It often takes weeks or months for a vendor to release a patch once a new vulnerability is discovered. Even more time can elapse before the patch gets applied to all systems within an organization.

An IPS, which normally sits at the network perimeter (and increasingly, on the internal network as well), can offset some of the danger of unpatched workstations by detecting and filtering out attempts to exploit such vulnerabilities.

IPS technology can be part of a firewall, such as with the Dell Sonicwall products, or as a standalone device, like Trend Micro TippingPoint. IPS is quickly becoming a must-have technology for any business or organization.

Block attachments

Despite the improvements in ransomware technology, in most cases, these programs still depend on a user opening an attachment to an email they receive. As such, user training occupies a key spot on most ransomware prevention checklists, and one I strongly support.

The problem, however, is that even the best trained users can slip up. Companies who use phishing testing/training products such as PhishMe, typically find some percentage of users who fail the test, meaning that some will likely fall for a real phishing message as well. One surprisingly overlooked approach to ransomware is to block all but essential attachment types at the email server.

A good example of the need for attachment blocking is the recently-discovered RAA ransomware variant that is implemented entirely in JavaScript. It is usually spread using a .JS attachment to an email, which can be disguised as a Microsoft Office document. Very few companies really have a need to send or receive .JS attachments, but few attempt to block them, or other file types commonly used as attack vectors.

Use behavioral analysis

Most anti-virus programs can only block malware that has been seen before. The challenge is that hundreds of thousands of new malware variants are seen every day, according to AV-TEST. An alternative approach is to monitor system resources on a workstation, looking for common scenarios used by most malware programs. Since certain behaviors are common to ransomware programs, they can often be spotted and filtered, even though the particular variant has not been seen before. While this approach is still in its infancy, it is growing rapidly, with products such as the Barkley agent.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.