+
EDITOR’S QUESTION
MOREY J HABER, CHIEF
TECHNOLOGY OFFICER,
BEYONDTRUST
/////////////////
W
hile there is no shortage of
seminars, articles and vendor
solutions outlining best practices
to mitigate the threats of ransomware and
modern cyber-extortion threats , there is
no single solution to protect against all
threats. If there was, wouldn’t we all be
implementing it and the manufacturer be
the most profitable vendor?
The fact is that there are multiple steps and
best practices that can mitigate this growing
problem and we just need to stop, listen and
do them better and not necessarily go out
and buy another tool. To that end, consider
these three recommendations.
1. End-user education: The average user
may not be able to tell the difference
between a regular email, phishing or
spear phishing attack. They do, however,
understand if you click on the wrong thing,
you may lose all your work and files or infect
your computer.
If you can translate the threat of
ransomware into terms the average user can
understand and remember, then the human
element of social engineering can have
some definable mitigation strategy. The vast
majority of ransomware comes via phishing
attacks and the training needs to cover the
threat, identification of phishing emails,
what to click on and when not to open a file.
A simple phone call can verify if the email
is legitimate and we need to instruct team
members how to verify the source before
continuing. It is not hard to do, just like
looking both ways before crossing the street
but we need to teach all users about safe
computing practices.
2. Secure back-ups: The worst-case scenario
is you do become infected with cyber-
www.intelligentcio.com
extortion based malware. If you follow law
enforcements recommendations, you should
not pay the fine. So how do you recover?
The answer is secure back-ups. While this
recommendation is not preventative, it is
the only one that can help you when all else
fails. All data should be backed up, and most
importantly, secured, such that the infected
assets cannot compromise the back-up via
mapped drives or network shares.
The back-up should also be tested on a
periodic basis to ensure it can restore all files
in an uninfected state. A common mistake
that organisations make is to attempt
a restoration before the ransomware
infestation is cleared and the process repeats
itself until the environment is truly purged of
the malware.
3. Disable macros: Some newer extortion-
based malware are taking cues from older
computer viruses that leverage Microsoft
Office macros. This one isn’t easy to resolve,
because many of our spreadsheets and
documents depend on macros to satisfy
business requirements.
For example, a recent addition to the long
list of ransomware is ‘PowerWare’. It comes
in typically through a phishing email and
contains an infected Word attachment.
The document contains a malicious macro
which then calls a PowerShell script which
carries out the payload. This email is
nasty because Word and PowerShell are
very common and approved applications
at almost every organisation. Therefore,
they represent a trusted attack vector
for ransomware and can by-pass most
application control solutions.
In newer versions of Microsoft Office, a
setting drastically reduces the possibility
of this happening. The setting, ‘Disable all
macros except digitally signed macros’,
found within the Trust Center settings will
prevent a macro without a valid certificate
authority from executing. This provides
secure granularity to enable macros
verses the ‘Disable all macros’ setting.
Unfortunately, you may not be able to
enable this setting since not all macros may
be signed.
Wherever possible, insist any vendor that
provides software containing macros to sign
them and establish a process internally to
sign macros so this setting can be properly
enabled for everyone.
INTELLIGENTCIO
35