Heading Off Attacks

By

Earlier this year in his blog, Talking Healthcare Technology, Henry Soch reported on what tech users can do to prevent ransomware attacks and adds some U.S. Government information on what to do if you’ve been hacked.

image

© kras99 | stock.adobe.com

So, what can you do to prevent disruption from ransomware attacks?

The U.S. Government Cybersecurity and Infrastructure Security Agency (CISA) recommends these best practices:

  • Require multi-factor authentication for remote access to OT and IT networks.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Implement a user training program and simulated attacks for spear phishing to discourage users from visiting malicious websites or opening malicious attachments. Reenforce the appropriate user responses to spear phishing emails.
  • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allow lists.
  • Update software, including operating systems, applications, and firmware on IT network assets, promptly. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
  • Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
  • Set anti-virus/anti-malware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
  • Implement unauthorized execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Implementing application allow-listing, which only allows systems to execute programs known and permitted by security policy. Monitor and/or block inbound connections from Tor exit nodes and other anonymization services. Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post-exploitation tools.

But what do I do if my organization is the victim of a ransomware attack?

Again, referring to the CISA recommendations:

  • Isolate the infected system(s).
  • Turn off other computers and devices. Power-off and segregate any other computers or devices that shared a network with the infected computer(s) that have not been fully encrypted by ransomware.
  • Secure your backups. Ensure that your backup data is offline, secure, and free of malware.
End of article

Jack Foster, president of Foster Communications, Fairfield, Connecticut, has been the editor of Agency Sales magazine for the past 23 years. Over the course of a more than 53-year career in journalism he has covered the communications’ spectrum from public relations to education, daily newspapers and trade publications. In addition to his work with MANA, he also has served as the editor of TED Magazine (NAED’s monthly publication), Electrical Advocate magazine, provided editorial services to NEMRA and MRERF as well as contributing to numerous publications including Electrical Wholesaling magazine and Electrical Marketing newsletter.