Common Security Lapses That Empower Cybercriminals
Ransomware attacks have become highly sophisticated but in the most part they still only exploit the vulnerabilities in security defenses that should not have existed.
Join the DZone community and get the full member experience.Join For Free
Over the past 12 months, the number of successful ransomware attacks has increased alarmingly. Many attacks have been headline news due to the disruption they have caused and the high cost of remediation.
The healthcare industry in the United States has been targeted, with the attacks disrupting patient care and putting patient safety at risk. Recently there was an attack on Colonial Pipeline that resulted in the shutdown of the main fuel pipeline serving the East Coast of the United States, while JBS suffered an attack that threatened food production at its U.S. plants.
Ransom payments have also increased and threat actors are stealing data prior to encrypting files to increase the pressure on victims to pay up. Regardless of whether the ransom is paid, the recovery process is slow. Many victims have suffered disruption to business operations for several months and businesses have been forced to permanently close after an attack due to the high costs of recovery.
Ransomware gangs have conducted highly sophisticated attacks but in the most part they have exploited vulnerabilities in security defenses that should not have existed. Most attacks exploit weaknesses that could have been easily addressed had network security best practices been followed. So what mistakes are businesses making that leaves them vulnerable to ransomware attacks?
Security Mistakes That Make Life Easy for Ransomware Gangs
In order for ransomware gangs to conduct a successful attack, they must first gain access to the business network by exploiting security vulnerabilities.
While there are many possible attack vectors, the most common is phishing. A phishing campaign is conducted with one of the two aims:
- To steal credentials that allow perimeter defenses to be bypassed.
- To install malware that gives the attackers persistent access to the network.
With credential theft, the aim is to obtain the credentials of an individual with high-level privileges such as the CEO. With high privileges, an attacker can easily gain persistent access to the network and move laterally. Alternatively, campaigns can be conducted to target lower-level employees and trick them into installing malware.
Most businesses have implemented a spam filter to block malicious messages, but many rely on default Office 365 spam filters, which do not offer a high enough level of protection. Implementing an advanced AI-based spam filter with sandboxing will improve protection.
Stolen credentials allow an attacker to access network resources, but not if the multi-factor authentication has been implemented. While not infallible, multi-factor authentication will prevent attackers from using stolen credentials to gain access to networks in the vast majority of cases.
Anti-spam solutions and multi-factor authentication will provide protection from email attacks, but ransomware and other malware are often downloaded via the internet. By implementing a web filtering solution, employees can be prevented from visiting malicious websites, and malware downloads can be blocked. Many businesses fail to protect against the web-based component of attacks.
Security Awareness Training
Many businesses rely on technical measures to block threats and neglect the human element. Attacks often target employees, so it is important for security awareness training to be provided and for regular refresher sessions to be conducted to reinforce training. Without training, employees cannot be expected to recognize and avoid threats.
Patching and Software Updates
Vulnerabilities in software, firmware, and operating systems are often exploited. Prompt patching is therefore important. It can be difficult to stay on top of patches and security updates, so patching should be prioritized. Many ransomware attacks have succeeded by only exploiting years-old vulnerabilities. If vulnerabilities are not addressed, it will only be a matter of time before they are exploited.
Brute force tactics to guess weak passwords are often effective. As well as creating password policies that require all default passwords to be changed and strong passwords to be set, those policies must be enforced. Provide employees with tools to make creating strong passwords easier, such as providing them with a password management solution.
In the event of an attack, it is vital that damage is limited. Network segmentation is important in this regard. If an attacker bypasses the perimeter defenses, they should not be able to access the entire network. Segmenting the network will limit the potential for lateral movement and minimize the damage that can be caused.
Incident Response Plan
Businesses that have prepared for the worst and have developed and tested an incident response plan will recover much faster and will be able to limit the harm caused. Most importantly, the business with an effective incident response plan will be able to continue to operate while the attack is remediated.
Many businesses mistakenly believe that having backups will allow them to recover quickly in the event of an attack when that is often not the case. Regular backups must be created, and those backups must be tested to make sure file recovery is possible and data have not been corrupted. One copy of a backup must also be stored on an isolated system or device that cannot be accessed from the network where the data resides.
By addressing these common security mistakes, ransomware gangs will find it much harder to breach defenses.
The best place to start is by speaking to security experts about implementing cybersecurity solutions to block the most common attack vectors.
Published at DZone with permission of Patrick Smith. See the original article here.
Opinions expressed by DZone contributors are their own.