As we discussed in the previous post ramnsonware is inevitable, this war exists and everyone must be prepared for such an attack. The good news is that if you prepare ahead with a security and data recovery strategy there will be options for survival when it comes time to respond. We give you the 5 best practices against ramsonware building an infrastructure with greater resilience and recovery of critical data.
The 5 best practices against ramsonware
NIST CFS (National Institute of Standards and Technology) has created a cybersecurity framework with the 5 best practices against ramsonware, a standard that can be useful for any company, whether they are starting to execute cybersecurity strategies or if they already have a mature program.
IDENTIFY
This practice lays the foundation for the cybersecurity actions that will be carried out. It determines what environments exist, their risks and how it affects business objectives, is the basis of the success of this framework. You have to know the enemy thinking like them, think about what their objectives are and how they plan to do it. For this it is necessary to have a vision of what we have, where we have it and identify and qualify the value of each resource.
Best practices for the identification function include:
- Human firewall: This means that all employees must be aware of these attacks, their vectors and identify them in time to report anything suspicious.
- Updated and available continuity plan: It is essential to ensure that the continuity plan is stored separately, is immutable and is available 24/7/365 and that it is renewed and reviewed periodically.
- Label assets: Detecting the most critical assets for the organization and protecting them safely and effectively is vital to a successful plan.
PROTECT
This function helps the development and application of measures that ensure the provision of services in critical infrastructures in case of attack, limits and contains the impact of this.
Best practices for the protection feature include:
- Cybersecurity staff training: This is one of the most effective ways to raise the level of protection against ramsonware attacks. Training must be continuous and updated.
- Implement data protection rule 3-2-1: This standard data protection rule says that at least three copies of each important piece of data must be kept, with two backups stored on two different types of media and replicating one of them off-premises.
- Protect by design: Adding security to an existing infrastructure is much more difficult and expensive, a virtual infrastructure is a good practice to build a secure environment from the beginning. Add the known attack vectors and only open access when the components are added and need specific openings or additional software to function properly. This way, all builds are consistent and kept up to date, creating a secure baseline.
These are just a few, as there are many more.
DETECT
This function allows to detect an attack quickly and effectively, this allows to mitigate the repercussions of this. The question that needs to be asked is: what mechanisms are appropriate to implement to ensure rapid identification and detection of cybersecurity incidents?
To know when an environment is attacked or compromised, it’s critical to understand the end-to-end data flow of your information. Know how to differentiate what is normal behavior and what is not. That’s why it’s important to monitor your infrastructure for suspicious activity.
Best practices for the detection function include:
- Detection systems: having intrusion detection systems can alert us to suspicious behavior and anticipate malware or ramsonware attacks. One of the biggest risks of these attacks is their spread, so having visibility is key.
- Tripwires: this is about placing virtual trap cables, such as an unused administrator account and with linked alarms. The moment an activity is observed in that account it will make the red alarm go off.
RESPOND
Response capabilities help users develop techniques to contain the impact of cybersecurity incidents, ensuring the development and implementation of appropriate measures to respond to detected cybersecurity incidents. “The question that needs to be asked is: How can I mitigate a cybersecurity incident and ensure that the impact is contained as quickly as possible?”
Best practices for the answer function include:
- Have a response plan: the creation of a defined response plan allows you to draw the procedures to follow to detect, communicate, control and solve any incident. This way employees will also know how to respond to such a situation.
- Stay calm: the key is to gather the right people to activate the incident response plan as soon as possible and not look for culprits, this will waste time and even make mistakes.