Keeping Corporate Devices Secure
Regularly Update Operating Systems and Applications
- Apply the latest security patches and ensure all critical software, including on mobile devices, is up to date.
- Enable automated updates where possible, as this ensures both enhanced security and improved performance.
- Assess the need for antivirus and anti-malware software, keeping them current and performing regular scans to maintain system efficiency.
- Consider a centralized patch management system and use a risk-based approach to determine which systems should be included in the program.
- Regularly back up systems, both online and offline, with up-to-date backups being the most effective recovery method in case of a ransomware attack.
- Create offline backups stored separately from your network, ideally offsite or in a cloud service designed for this purpose, as ransomware often targets backups to increase ransom payments.
Asset Management and Compartmentalization
- Store sensitive data separately from everyday data in compartmentalized locations.
- Implement effective network segregation to limit the movement of adversaries within your network.
- Ensure that areas with different security profiles are compartmentalized, restricting access to the most exposed segments.
Secure Remote Desktop Protocol (RDP)
Limit network access, especially by restricting RDP. If RDP is necessary after a risk assessment, restrict its sources and enforce multi-factor authentication.
Monitor Data Exfiltration
- Early detection of data exfiltration minimizes damage. Ransomware often threatens to release stolen data, so monitor closely to understand what data is at risk.
- Be aware that attackers may still release or reuse stolen data, regardless of whether the ransom is paid.
Regular System Testing
Conduct regular penetration tests and critical information restoration tests to ensure your security measures work as expected.
Reduce Malicious Content Exposure
- Disable scripting environments and macros, and configure systems to inspect content, allowing only certain file types while blocking known malicious sites and applications.
- At the network level, implement policies to monitor, filter, and block illegitimate traffic, using live threat intelligence feeds to blacklist/whitelist based on current threats.
Enhanced Password and Authentication Practices
- Use complex passwords with numbers, symbols, and a mix of upper and lower case letters. Train employees to use strong passwords and consider a password manager.
- Require multi-factor authentication for accessing critical networks to reduce risks from stolen or hacked credentials.
Manage Privileged Accounts
- Restrict employees’ ability to install and run software on corporate devices. Use policies, user account control, and privileged access management to limit account privileges.
- Organize access based on least privilege, need-to-know, and segregation of duties principles to minimize exposure from compromised accounts.
Secure Teleworking Equipment
Implement measures like hard disk encryption, inactivity timeouts, and strong authentication. Ensure you can remotely disable lost or stolen devices.
Install Apps from Trusted Sources
Only allow app installations from official sources on devices connected to the corporate network. Consider creating an enterprise app store for safe app access.
Avoid Public Wi-Fi Risks
Public Wi-Fi networks are insecure. Ensure employees avoid accessing corporate data over public Wi-Fi, or use secure VPNs if necessary.
Cybersecurity Education and Awareness
Educate employees on company policies and raise awareness of cyber threats, particularly phishing and social engineering. Implement training programs with simulated attacks and encourage reporting of suspicious activity with incentives.
Cyber Liability Insurance
Consider obtaining cyber liability insurance to cover potential damages from a cyberattack.
Enable Local Firewalls and Disable PowerShell
Keep local firewalls active to prevent unauthorized access and disable PowerShell if it’s not needed, as some ransomware variants use it to execute attacks.
Steps to Take if Infected
- Immediate Disconnection: Disconnect infected devices from all network connections without shutting them off.
- Consider Network Isolation: In severe cases, disable Wi-Fi, core network connections, and internet access.
- Reset Credentials: Change passwords, especially for admin accounts, while ensuring access to essential systems.
- Report the Incident: Notify the appropriate authorities and preserve evidence for investigation.
- Preserve Evidence: Create forensic images, RAM dumps, and preserve network logs in coordination with authorities.
- Check Decryption Tools: Visit www.nomoreransom.org for free decryption tools if your business is infected with a known variant.
- Wipe and Reinstall: Safely wipe infected devices, reinstall the OS, and ensure backups are free from malware before restoring data.
- Re-establish Security: Connect to a clean network, update software, and run antivirus scans before reconnecting to your network.
- Monitor and Secure: Monitor network traffic and run antivirus scans to confirm the infection is fully eradicated.