In my business, I spend a lot of time reading about the latest Cyber Security attacks or breaches. I love the details of the stories, I love to hear how the breach is handled but mostly, I love to read about the terror that the stories try to instill in the reader.
Prior to starting Blackbird Cyber Security in early 2018, I ran a successful MSP (Managed Service Provider) just outside of Louisville Kentucky for 13 years. Malware and Ransomware was a selling point for us, but it was never an issue. I had an engineer on staff who, from the first day we talked about security, pushed me to implement proactive standards to ensure that we never had to deal with Ransomware. and in 13 years, we had to only 1 time (more on this later). I'd like to share the top 5 things we did for every client without question, and the things you can do to ensure that ransomware is not a problem, and worse case, if it somehow slips by, you can recover almost immediately.
1. Backup. Every company I've ever met believes they are "backed up". They have external HDD, or a Cloud backup through a reputable vendor and of course it was setup by an expert. Some even take it a step further and say, "we know our backup works because Sally deleted an Excel spreadsheet and we were able to restore it."
Backup is the simplest way to protect from a Ransomware attack. Who cares if your files are encrypted. Delete the encrypted ones, restore from backup and move on. Just do me a favor, PLEASE make sure your backup policy is effective. It's not hard to do. Don't just backup excel and word files, or run a backup of your accounting software database. Your need a backup plan, on paper and on purpose. You need to identify critical files vs. "throw away" data, and make sure that multiple versions of all files are kept in more than one location.
The other thing most companies miss with backup - they backup one time per night. Think about how vulnerable that makes your company? How much money would you lose closing the doors for 24 hours - that's essentially what you are doing with a nightly backup. Critical files should be backed up VERY frequently - at least hourly. non-critical at least daily.
Also - backup your SYSTEMS. Any good backup system can backup system state, OS, configurations and anything else you need to restore a server or PC very quickly.
What's more, your backup policy is NOTHING without frequent tests. This isn't a matter of recovering a file that Sally deleted by mistake, It's testing what you would do should your entire environment be infected by a Ransomware attack. I guarantee you'll find something you missed - email archives, CRM database, even your personal Favorites links. Tests should be performed AT LEAST quarterly and include a recovery and test of all critical data. Tests should be documented and a report should be presented to Management detailing what went right, and what went wrong - as well as your plan (with timelines) on ensuring the next test goes right. Also, what goes wrong during the test should not wait until your next test to fix, fix it immediately and retest. You will thank me for it.
2. User Security is Critical. To many companies strip out user security just to make things "easier" on employees. No employee should have full access to data, servers or systems. NO ONE.
Take the time to setup user accounts to allow for only the access they absolutely need. If your receptionist works in one file or system, he or she should only have access to that file or system. This should be the rule for each and every employee.
Shared drives by access levels should also be implemented. I can't count the number of companies I've worked with who have a single shared drive that all employees access (with full access no doubt). I understand the business need, and I'm not saying you can't have a single shared drive, I'm saying that shared drive should be locked down so that only specific users have access to specific files and folders. The receptionist should not have access to the HR folder on the shared drive. What's more, with newer versions of Windows Server, you can lock it down further where users can read, but not right. Get the help of a security-minded IT Provider to make sure that your shared information is setup correctly and securely so that if your receptionist clicks a link and somehow ransomware gets in your network, it can't spread and make things worse. Would you rather have a single PC and single folder infected or your entire environment?
The biggest thing companies miss with User security is allowing users to install software or make system changes. Again - I understand the business case for this. Stay with me here, If your users can't install software or make system changes, then your users can't get spyware, malware or ransomware. Period. Only trained and documented Administrators should be able to install software or make system changes. This one step saved my MSP countless hours, not only security protection procedures, but in keeping systems running optimally. If we ever meet or you argue this isn't doable, ask my about the "Coupon Printer" debacle and I'll change your mind in seconds.
Lastly, Administrative accounts should be locked tighter than a drum. Default Admin accounts should immediately be disabled and new accounts with the most secure passwords (one that can't be readily remembered) should be created. No one should use those accounts unless the need is documented and approved by IT management.
3. Endpoint Protection (Antivirus / Antimalware Software) that is centrally controlled. I mentioned that in 13 years we had 1 breach. Endpoint protection was the reason. Not bad protection, not inferior protection, but Endpoint protection that was not centrally managed. Centrally managed means that the PC user cannot control the software and more importantly disable the software. Endpoint Protection can be annoying. It's slows down your computer while you are trying to get going in the morning, it keeps us from downloading the pictures of our kids at their soccer game or it keeps us from accessing a website that we just HAVE to access! But without it, we are leaving the door to our business unlocked and inviting hackers for a paid lunch.
No user, regardless of their level in the company should be able to make changes to the endpoint security software. This was nonnegotiable with our clients - especially after the breach.
See, we had top of the line endpoint protection that we loaded, configured and managed for each of our clients. One day, while I was at a conference in Las Vegas, my phone started going crazy with calls and text messages from a Client who was infected with Cryptolocker. My engineers were already on it and in the process of cleaning and restoring data, but the owner of the Company wanted answers. He wanted to know what happened, and why we didn't protect their data. After missing the remainder of the day at the conference and digging through logs, I figured out exactly why. The owner was traveling and was trying to access a website for a local restaurant in Puerto Rico. All he wanted was the menu so he could see if that's where he wanted to go for dinner. Our endpoint software wouldn't let that happen. The software told him why, that the site wasn't safe, but he just had to know, so what did he do? Yes, he disabled his Endpoint Security software and accessed the site. You know what happened next, his PC was infected, he was connected to the shared drive (which he demanded full access to) and it got infected, this included his Accounting software, ERP Software, CRM software, etc). All of this could have been avoided if we removed his ability to disable the software. Everything worked the way it was supposed to, but if you turn something off, it can't do it's job.
4. Stop it before it happens with a Business-class, Next Generation firewall.
I mentioned in my post about firewalls that a NextGen firewall is critical and detailed why, so I don't need to repeat myself here. If you have a NexGen firewall that is completely configured with Content Filtering, Geo-IP Blocking, AV / AM protection, Deep Packet Inspection and Sandboxing, you will increase your level of protection from Malware exponentially. Threats will be blocked before they can get in, files will be scanned before they are allowed to be downloaded and websites that aren't safe won't be accessible. Yes, it may slow down an employee by a minute or two from being able to listen to spotify, but it will protect your company and your critical data.
5. Update, Update, Update. It's so simple, it's so annoying, but it's SO Important. Make sure that everything is updated frequently. Security updates, patches, firmware, software releases, everything should be reviewed, tested and installed as soon as possible.
I say it's annoying because we all know that feeling, when we are trying to get out the office door at 5:05pm on a Friday and we hit "Shutdown" on our PC and updates start installing. There is nothing worse that sitting there another 10 minutes while your PC updates and finally shuts down. Here's the problem, you are waiting until it's absolutely critical for updates to be installed before you install them. You have to change your mentality.
Systematic updates should be done DAILY for OS, Security, Application and Endpoint security. Endpoint security definitions should be updated at least twice per day if available. Equipment updates (firmware and OS) should be installed as soon as it's available (schedule checking with your vendor) and software versions should be kept updated if at all possible. This means, if you are still using Office 2010 or 2013, then you need to upgrade to 2016. If you are using QuickBooks, as hard as it is, you need to upgrade to the newest version yearly (or just move to their cloud version and forget buying every year). Software versions are by definition critical to ensuring that emerging threats are covered. Old version of Citrix? Sure, why not just send hackers an invitation to steal your data. Old version of Windows? Yeah why not give a hacker years to write to a vulnerability that will never be patched?
The argument I always hear is that it takes time. Of course it does. To put it bluntly, getting fat is easy too. Going to the Doctor, working out, eating right - it takes time, but are you telling me that's not worth the time? Take the time, implement a patching tool to mitigate the time needed, systematize the checks and installation of updates, if you do it right, you can get it to an hour a month, so why not spend 1 hour per month (even if your billable rate is $400 / hour) to save yourself weeks of headaches and potential loss of reputation should a breach occur.
Folks, security isn't as complex as you think. You can protect yourself. You can make it so hackers, should they breach your defenses don't get anything. You, yourself have to be responsible for ensuring your are protected and it's not hard. Start with the 5 items above, implement them and then move forward. Implement higher levels of access, training programs and IDS systems, but with the above 5, your small or medium size businesses has a great start and you can get a few hours of sleep knowing should a breach occur, you'll be back up and running in no time.