The Fundamental Steps Every IT Admin Must Take to Prevent Ransomware
For enterprises that have at least some part of their IT environment in the cloud, the key to protecting data starts with understanding the layers of the cloud stack and their corresponding security risks. Each layer has its own unique threat potential, and when IT teams understand how data transacts at each layer, they can take appropriate measures to safeguard against those threats. One of the most common is ransomware.
Ransomware isn’t necessarily complex. At its core is just malicious code looking for access. Thwarting it requires understanding how to prevent it from penetrating access points. To be effective at this, it’s important to start by addressing each layer of the cloud environment and take the appropriate measures to gird against unauthorized access.
The following steps provide a tactical path for ransomware prevention:
Protect Content Storage
Because content is so critical to business operations, you need to protect your precious resources to ensure your business is viable for years to come. If attackers are able to access your repositories they can potentially delete or expose data that is confidential and critical to running your business.
- Limit data access: Start by creating strict Identity and Access Policies (IAM) policies and Access Control Lists so you can limit permissions to everywhere in your infrastructure where you’re storing content. These policies allow you to enable or deny permissions by accounts, users, or based on certain conditions like date, IP address, or whether the request was sent with SSL.
- Always encrypt: Make it a policy to encrypt data in transit and at rest. Be careful to include metadata is also encrypted to make it more difficult to identify types of data stored in different applications.
- Logging and versioning: Versioning enables preservation, retrieval, and restoration of data if something is stolen, contaminated, or lost. WIth versioning turned on, you can always restore from an older version of the data if a threat or application failure causes loss of data. Maintaining access logs provides an audit trail in case someone or something gets into your system.
- Implement no delete rights: You can set up roles in your infrastructure that do not allow certain users to delete any data. You can enable a feature that requires that the six-digit code and serial number from your MFA token to delete any version of data stored in your storage layer. This means that attackers won’t be able to delete your data if they get access, unless they’ve got your MFA key.
Identity Management Policies
The most common way to gain access is to impersonate a legitimate user. What makes this particularly challenging is that these threats can be as common coming from inside your organization as from outside. Start by implementing these policies:
- Strong passwords: Establish policies that require complex passwords (12 characters with mixed case, letters and numbers, at a minimum).
- Require Multi-factor Authentication (MFA) everywhere: Having a strong password is no longer enough; even unsophisticated software applications can crack them. Using a second validation or authentication method provides another layer of protection around your user login and has shown to be one of the most effective ways of battening down the hatches of your content repositories.
- Establish least privilege roles: Give users access only to the least amount of accounts and systems that allow them to be productive, and avoid being liberal in your access authorizations for large groups. This limits the damage that can be done if an accident is made or a bad actor gets access to the account.
- Disable dead accounts: It is critical to ensure that accounts are disabled for people who leave the company people. This includes access to all databases, applications, and other repositories - ensure that all keys are rendered unusable, and eliminate the account. Dead accounts leave more endpoints and are not monitored the same way live ones are.
Secure the Compute Layer
Take steps to secure your compute layer to ensure availability of systems and data, and to keep bad actors from using your compute power to further spread malware across your business and the Internet.
- Harden the OS: Remove unnecessary programs that only serve to broaden your attack surface. Stay up-to-date on service packs and patches as much as you can. While it doesn’t ensure that you won’t be vulnerable to a zero-day attack, it makes it much less likely.
- Enable secure login (issue SSH keys issued to individuals): This will keep your assets protected when moving across unsecured networks.
- VPN (network): Protect the connections between devices and the Internet by creating a secure (tunnel), or VPN. You're creating your own version of a network that is more specific to your own security requirements.
- Use jump host: The jump host is placed in a different security zone and provides the only means of accessing other servers or hosts in your system. The security groups for your other cloud assets, should be set up to only allow SSH access from the jump host. It is an extra step that might make keep the hackers out of your system.
- Hypervisor firewall rules: The most effective way to manage firewalls is at the hypervisor level because you can restrict or set limits on both ingress and egress traffic. Take care to set definitive rules about what, how much, and who can send, receive, and access both inbound and outbound data. Many are reluctant to set up outbound rules, but because ransomware often threatens the leaking of your intellectual property, it is important to ensure you have outbound rules that are explicitly declared.
- Only use trusted images: Build your images or templates from scratch or get them from very trusted sources like AWS or Microsoft. Don’t use the ones you find on Stackoverflow or on random message boards or communities.
Protect Your Cloud Applications:
After you’ve “surrounded the perimeter” and enforced smart policies, you then need to emphasize security specifically for your services in the cloud.
- Source control management: Use source control to secure versions, access to builds, and deployment instances. This will reduce the surface area of your code and limit the potential for attacks across your entire network.
- Monitor SaaS systems that store code, like Github: All it takes is for a bad actor to get access to your repo, and they can infect and potentially get access to more of your systems the next time one of your systems calls home. It's better to store your Git or code repositories securely in your cloud environment.
To learn more, check out the Egnyte Security Framework which explains how the Egnyte Platform weaves data security into every layer of enterprise file sharing with behavioral anomaly detection to deter insider threats and compromised accounts, as well as signature-based and zero-day ransomware detection.
Photo by Isaac Benhesed on Unsplash
Get started with Egnyte today
Explore our unified solution for file sharing, collaboration and data governance.
LATEST PRODUCT ARTICLES
Don’t miss an update
Subscribe today to our newsletter to get all the updates right in your inbox.