The Institute for Security and Technology (IST) recently released a “Blueprint for Ransomware Defense.” The guide includes recommendations of defensive actions for small- and medium-sized businesses (SMBs) to protect against and respond to ransomware and other common cyberattacks. It focuses on the identify, protect, respond, and recover format that aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework. IST’s guidelines do not include one item from the NIST framework: the detect function. The authors recommends that SMBs should work with a cybersecurity services provider for that function.
The recommendations are built around safeguards, including 14 foundational and 26 actionable safeguards.
Safeguards to identify what’s on your network
IST recommends the following foundational safeguards to help identify what on your network needs protecting:
- Establish and maintain a detailed enterprise asset inventory.
- Establish and maintain a software inventory.
- Establish and maintain a data management process.
- Establish and maintain an inventory of accounts.
SMBs may need more guidance to understand the risk that comes with their computers and software. Many use older technology because it’s needed for critical line-of-business applications. It’s not enough to inventory my assets; I need to evaluate the risks that I have because I am still using older assets and older software.
The actionable safeguard is to ensure that authorized software is supported.
Safeguards to protect network infrastructure
The next recommendations cover how to protect those assets:
- Establish and maintain a secure configuration process.
- Establish and maintain a secure configuration process for network infrastructure.
- Establish an access granting process.
- Establish an access revoking process.
- Establish and maintain a vulnerability management process.
- Establish and maintain a remediation process.
- Establish and maintain a security awareness program.
Workstations in SMBs use insecure passwords or don’t provide proper protection for both local access and remote access. Attackers often get in via remote desktop access or by cracking local administrator passwords that are the same across the network. Worse yet is when users don’t use appropriate access to the network. SMBs are often set up with domain administrator rights. Review how you have deployed passwords and regardless of whether you have a traditional domain and workstation setup or cloud and web applications, review your options for multi-factor authentication (MFA).
Next, review how you manage and patch your computing resources. It’s not enough to rely on Windows Update to manage the updates on your computer systems. Review your options for maintaining and deploying updates.
Training your employees to not click is one of the best things you can do to protect your network. No matter what protections you put in place, the best defense is an educated end user that doesn’t click and asks if the item is legitimate. Even if you don’t have a formal phishing training program, make sure users are aware of the normal scams and attacks.
As the whitepaper notes:
“While ransomware has a variety of initial infection vectors, three vectors constitute the bulk of intrusion attempts: use of the Remote Desktop Protocol (RDP) – a protocol used to remotely manage Windows devices, phishing (typically malicious emails that appear to come from reputable sources but aim to steal credentials or sensitive information), and exploitation of software vulnerabilities. Hardening assets, software, and network devices defends against these top attack vectors and closes security gaps that may linger from insecure default configurations. Failure to disable/remove default accounts, change default passwords, and/or alter other vulnerable settings increases the risk of exploitation by an adversary. Safeguards in this section call for SMEs to implement and manage a firewall on servers and manage default accounts on enterprise networks and systems.”
The recommended actionable safeguards are:
- Manage default accounts on enterprise assets and software.
- Use unique passwords.
- Disable dormant accounts.
- Restrict administrator privileges to dedicated administrator accounts.
- Require MFA for externally exposed applications.
- Require MFA for remote network access.
- Require MFA for administrative access.
- Perform automated operating system patch management.
- Perform automated application patch management.
- Use only fully supported browsers and email clients.
- Use DNS filtering services.
- Ensure network infrastructure is up to date.
- Deploy and maintain anti-malware software.
- Configure automatic anti-malware signature updates.
- Disable autorun and autoplay for removable media.
- Train workforce members to recognize social engineering attacks.
- Train workforce members on recognizing and reporting security incidents.
Safeguards for incident response
SMBs too often overlook the next set of recommendations regarding incident response:
- Establish and maintain an enterprise process for reporting incidents.
- Establish and maintain an audit log management process.
Firms often want their systems back to functional levels as soon as possible after a security event, so it’s uncertain whether some SMBs will establish a process to report incidents. I also have doubts that the typical SMB has the storage or the resources to truly enable is a log management process. My recommendation would be to investigate a cloud service that accumulates and alerts you to unusual events on a network. Logging alone is not enough if you don’t understand what the logging is trying to tell you. A service that allows you to correlate these events and alert you to potential problems is preferable.
Actionable safeguards for incident response are:
- Designate personnel to manage incident handling.
- Establish and maintain contact information for reporting security incidents.
- Collect audit logs.
- Ensure adequate audit log storage.
Safeguards for recovery after a cyberattack
Ransomware can easily be overcome with a very boring process: a backup. The foundational safeguard the framework recommends is to establish and maintain a data recovery process. These are the recommended recovery safeguards:
- Perform automated backups.
- Protect recovery data.
- Establish and maintain an isolated instance of recovery data.
SMBs might not have thought out or tested their recovery processes. Backups might not work as expected or in the case of ransomware, not tested from the stance that the network will be rebuilt.
The blueprint document includes a link to recommended tools and resources. The tools listing can be daunting to any firm that does not have IT experience, so I’d also recommend using the toolkit to review the tools used by your consultants. Discuss what processes they use and see if they have comparable resources.
Actionable safeguards for recovery are:
- Perform automated backups.
- Protect recovery data.
- Establish and maintain an isolated instance of recovery data.
Copyright © 2022 IDG Communications, Inc.