Note: Nessus Cloud is now a part of Tenable.io Vulnerability Management. To learn more about this application and its latest capabilities, visit the Tenable.io Vulnerability Management web page.
Ransomware has become such a major threat due to its many variations and its drastic impact in restricting access to systems and data, therefore making day to day business unavailable and shutting down access to critical systems.
Existing perimeter solutions today have failed to detect and prevent ransomware from infecting and spreading within organizations’ networks. Ransomware creates mass operational disruption, and signature based anti-virus is unable to prevent and detect ransomware due to the unique and quickly growing variants.
Signature based anti-virus is unable to prevent and detect ransomware
The US CERT and DHHS Threat Alert explains the nature of the threat very well and outlines several solutions available.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates and a sound vulnerability management program greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the Internet prior to executing.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens an attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web; see Good Security Habits and Safeguarding Your Data for additional details.
- Do not follow unsolicited web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.
Organizations can implement security controls that prevent untrusted or unknown applications or tools from simply being installed onto the system, but allowing the end user to continue to be productive by using application whitelisting, blacklisting, dynamic listing, real-time privilege elevation, and application reputation and intelligence.
The only method to get the data back is to rebuild or restore from a backup
Users often have the ability to install and execute applications as they wish — no matter where or how they obtained the installation executable. This poses a major risk allowing ransomware or malware to infect and propagate into the organization. It can also allow attackers to install remote access tools, enabling them to easily return whenever they wish. If a user with a privileged account is simply reading emails, opening documents, browsing the Internet and clicking on numerous links, or plugging in a USB device, they can be installing malicious software. These tools can provide attackers with access and begin their attack. Or, in a worst case scenario, they can encrypt the system and sensitive data, requesting a financial payment in return to unlock them. And unless the ransom is paid within a very short period of time (typically 72 hours) the tool will destroy the key to unlock the data, making the data inaccessible forever. The only method to get the data back is to rebuild or restore from a backup if available and accurate.
Least privilege allows users to safely perform their duties. In the event of an accidental clicking of a link or opening an attachment and attempting to execute an application which requires elevated privileges (for example, encrypting a hard drive, network share or folder), the user privileges do not allow those actions to be performed, stopping the attack immediately. This can then be validated by application whitelisting, which checks if the application or source of the application is coming from a trusted source; if it is unknown, then further execution of the application can be prevented until the source or application is determined if it has disruptive behavior.
Real-time elevation is the ability to check if the application, environment or context of the user is safe to elevate the privileges of the application. This occurs by checking various parameters including application reputation, user’s current privilege context and whether the system itself meets certain security controls. If these policies are not met, intervention of a security analyst can then be requested to make a decision on whether it is safe to continue allowing this application to elevate.
Privileged account management
Privileged account management is an effective way to prevent the spread of ransomware throughout the environment and especially to critical systems. This ensures that when ransomware infects a system that it is unable to use the credentials exposed on that system to laterally move around to other systems on the network.
Thycotic provides enterprise password management to over 7,500 customers worldwide. We partnered with Tenable to provide customers secure storage of privileged credentials and the ability to easily perform credentialed scans with Nessus® Cloud and Nessus Manager. Learn more about the partnership in the Integration Spotlight: Enhanced Security with Credentialed Vulnerability Assessments with Tenable blog post and on the Tenable/Thycotic partner page.
About the author
Joseph Carson, EMEA Product Marketing and Global Strategic Alliances for Thycotic, is an expert in Windows endpoint security. Joseph has 20+ years’ experience in enterprise security and infrastructure and is a Certified Information Systems Security Professional (CISSP). An active member of the cybersecurity community and a frequent speaker at cybersecurity events globally, Joseph is also an adviser to several governments and cybersecurity conferences.