The explosion of ransomware in the past year has many infosec professionals worried because of the devastation it can wreak on an organization that doesn’t have a backup and recovery strategy.
The just-published Cisco Systems Annual Security Report noted that ransomware has two main advantages to criminals: It is a low-maintenance operation, and it offers a quick path to monetization because the victims have to pay in cryptocurrencies.
With that in mind, security researcher David Balaban has published a list of 22 ways users (and CISOs) can protect their organizations against this scourge. While the number one strategy is obvious — have a well-thought out and practiced backup and recovery plan — there are a number of other recommendations security teams should keep in mind.
Arguably number two on the list is is the importance of training staff to be security aware and not click on every attachment. If the infrastructure team hasn’t done so already, it’s vital to configure the webmail server to block attachments with extensions like .exe, .vbs or .scr.
The list also struck me as particularly appropriate for readers who work at small businesses, where the IT department may be only one person.
For example, few may think of disabling vssaexe, used by Windows to administer Volume Shadow Copy Service. Although its purpose is to restore previous versions of arbitrary files ransomware uses VSS to obliterate shadow volume snapshots. Turned off, it protects the device. Turned on after an attack it can be used to restore files.
IT should also consider disabling PowerShell, a task automation framework for administrators, says Balaban. As I wrote last week in a story on protecting Active Directory, PowerShell is also a vehicle for exploit kits.
However, in an email to me this morning AD expert Sean Metcalf disagreed. “There are better ways to get real security instead of feeling like ‘you did something,”” he wrote. “First off, you can’t really “disable PowerShell” since PowerShell is more than just PowerShell.exe. It is simple to recommend doing this, but it doesn’t stop attacks. The best way to deal with the fact that attackers are using legitimate tools such as PowerShell, is to get users on a more secure OS like Windows 10 which has enhanced security features which mitigates many types off attack methods, including PowerShell (PowerShell version 5 has many of these security enhancements as well which can be installed on older operating systems).
“My message regarding PowerShell is “Don’t block PowerShell, embrace it.” Granted this message is geared more to the enterprise, than SOHO or consumer, but in general, it’s better to log PowerShell usage and gain better insight into what’s going on in the network than blocking it and having attackers shift tactics to another successful method and be blind.”