No website, or web app, or even a company that has parts of it on the internet, can guarantee that they won't fall as victims of ransomware or malware attack.
So even if they think it's extremely unlikely for them to be a target by hackers, they should at least have an incident response plan when the worse happens. In case organizations got hacked, the plan will greatly reduce the impact and the damage they suffer.
And here, the National Cyber Security Centre, which is UK-based organization that provides advice and support for the public and private sector in how to avoid computer security threats, has given some guidance on how to mitigate malware and ransomware attacks.
The guidance has been updated to "Version 2.0" because of what the NCSC describes as "a growing threat from ransomware attacks".
One of the key pieces of advice NCSC is giving, is to create a plan to anticipate an attack, even if it's unlikely to happen.
According to the agency, there are many organisations which have been impacted by malware as collateral damage, even when they weren't the intended target.
The guidance from NCSC is meant to help both private and public sector organizations in dealing with the effects of malware and ransomware. It also provides the actions needed to help organizations prevent a malware infection, and also step s to take if they're already infected.
According to the guidance, the things to do include:
Make Regular Backups
This is the most crucial thing to do. Having up-to-date backup is the most effective way of recovering from any kind of attacks. They can be the lifesavers, if anything goes wrong to the point of no return.
- Make regular backups of your most important files. Regularly test them to know that they are working as expected.
- Create offline backups that are kept separate from each other.
- Make multiple copies of the backup files, and store them in different backup solutions and storage locations.
- Backup files should not permanently connect to a network it is backing up.
- The backup files should be easily accessible, in order to allow quick restoration. But it should be encrypted as well
- When backing up, ensure that the backups are only connected to known clean devices before starting recovery.
- Scan backups for malware before restoring files.
- Regularly patch products used for backup.
Prevent The Spread Of Malware
Organizations can reduce the likelihood of malicious software from reaching or infecting their devices, by ensuring that:
- The filtering only allow file types you would expect to receive.
- Websites that are known to be malicious to be blocked.
- Actively inspecting content.
- Signatures are used to block known malicious code.
Beyond that, organizations can also:
- Use mail filtering with spam filtering to block malicious emails for to remove executable attachments.
- Intercept proxies, which block known-malicious websites.
- Use internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware.
- Use safe browsing lists to prevent access to sites known to be hosting malicious content.
And to prevent ransomware attacks, organizations should:
- Enable multi-factor authentication at all remote access points, and enforce IP allow listing using hardware firewalls
- Use a VPN that meets NCSC recommendations, for remote access to services; Software as a Service or other services exposed to the internet should use Single Sign-On (SSO) where access policies can be defined.
- Use the least privilege model for providing remote access.
- Immediately patch known vulnerabilities in all remote access and external facing devices immediately, as soon as the patch becomes available.
Prevent Malware From Running
Even the best blocking and filtering methods can still allow malware to slip between the cracks. This is where organizations should prevent the malware from running. A malware that resides inside a system and doesn't run, is next to harmless.
"You should therefore take steps to prevent malware from running. The measures required will vary for each device type, OS and version, but in general you should look to use device-level security features," the organization said, adding that people can do this by:
- Centrally manage devices in order to only permit applications trusted by the enterprise to run on devices.
- Consider whether enterprise antivirus or anti-malware products are necessary. If so, keep them updated.
- Provide security education and awareness training to employees.
- Disable or constrain scripting environments and macros.
autorunfor mounted media.
And because in some cases, attackers can force their malware to execute by exploiting vulnerabilities in the target device, organizations can prevent this by keeping devices well-configured and up to date. NCSC recommends:
- install security updates as soon as they become available.
- Enable automatic updates for OSs, applications, and firmware.
- Use the latest versions of operating systems and applications.
- Configure host-based and network firewalls, disallowing inbound connections by default.
Preparing For An Incident
When everything is well prepared, worse-case scenarios should be easier to deal with.
Malware attacks, in particular ransomware attacks, can be devastating for organisations because computer systems are no longer available to use, and in some cases data may never be recovered. This is why victims must move quickly.
NCSC suggest that organizations that have been infected with malware, to:
- Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
- In more serious cases, consider turning off Wi-Fi, disabling any core network connections as well as switches, and disconnecting from the internet might be necessary.
- Reset credentials including passwords (especially for administrator and other system accounts).
- Safely wipe the infected devices and reinstall the affected operating system.
- Before restoring from a backup, verify that the target device is already free from any malware.
- After finishing, they can then connect the devices to a clean network in order to download, install and update the operating system and all other software.
- Install, update, and run antivirus software.
- If no problem is found, they can then reconnect to the network, and the internet.
- Monitor network traffic and run antivirus scans to identify if any infection remains.
To ensure that an organisation is prepared for worst-possible cyber attack, the first thing the need to do, is identity their critical assets, and what the impact would be if they were disrupted by a malware attack.
With a proper response plan, even the worst can be recovered.
For smaller companies, it may take a few hours or days. But larger ones may require weeks, or maybe a month.