The International Institute for Security and Technology (IST) has released a “Blueprint for Ransomware Defense”. The guide includes recommendations on defenses for small and midsize businesses (SMBs) to prevent and respond to ransomware and other common cyberattacks. It focuses on identifying, protecting, responding, and recovering formats consistent with the International Institute of Standards and Technology (NIST) Cybersecurity Framework. Its guidelines do not include one of the International Institute of Standards and Technology (NIST) frameworks: detection capabilities. The report recommends that SMEs should work with cybersecurity service providers to enable this function.
The recommendations are built around safeguards and include 14 basic safeguards and 26 operational safeguards.
Security measures to identify content on the web
The International Institute for Security and Technology recommends the following basic protection measures to help determine what needs to be protected on small and medium business networks:
・Establish and maintain a detailed inventory of corporate assets.
·Build and maintain software inventory.
・Establish and maintain data management processes.
・Create and maintain a list of accounts.
Small and medium businesses may need more guidance on understanding the risks posed by their computers and software. Many people use older technology because it is required for critical line-of-business applications. It is not enough for SMEs to simply count their assets; the risks they face need to be assessed because old assets and old software are still in use.
An actionable safeguard is to ensure that licensed software is supported.
Safeguards to protect network infrastructure
The following recommendations include how to protect these assets:
• Establish and maintain a secure configuration process.
• Establish and maintain a secure configuration process for the network infrastructure.
・Establish an access authorization process.
・Establish an access revocation process.
・Establish and maintain a vulnerability management process.
• Establish and maintain a remediation process.
・Establish and maintain a security awareness program.
Actionable recovery safeguards include:
・Execute automatic backup.(VM backup)
・Protect recovery data
• Establish and maintain isolated recovery data instances.
Workstations in small and medium businesses use insecure passwords or are not properly protected for on-premises and remote access. Cyber attackers usually get in via remote desktop access or by cracking the same local administrator password on the network. Worse yet, when the user is not using proper network access. Small and medium businesses are often set up with domain administrator rights and looking at how to deploy passwords, whether they have traditional domain and workstation setups or cloud computing and web applications, need to look at multi-factor authentication options.
Next, see how to manage and patch computing resources. It’s not enough to rely on Windows Update to manage updates on your computer system. Need to see options for maintaining and deploying updates.
Training employees not to click on links from unknown sources is one of the best ways to protect the web. No matter what protections are in place, the best defense is that security-educated end users don’t click on links and ask if they’re legitimate. Even if a business doesn’t have a formal phishing training program, make sure users are aware of scams and attacks.
As the white paper states: “Ransomware has multiple initial infection vectors, and three vectors account for the majority of intrusion attempts: One is the use of the Remote Desktop Protocol (RDP), a protocol used to remotely manage Windows devices. Two is phishing (usually from a reputable source of malicious email, but is designed to steal credentials or sensitive information), and the third is exploiting software vulnerabilities. Hardening assets, software, and network equipment can defend against these top attack vectors and compensate for possible A security vulnerability that exists due to a secure default configuration. Failure to disable/delete default accounts, change default passwords, and/or change other vulnerable settings increases the risk of exploitation by cyberattacks. The safeguards in this section require Small businesses implement and manage firewalls on servers and manage default accounts on corporate networks and systems.”
Recommended possible safeguards are:
・Default account for managing corporate assets and software.
・Use a unique password.
・Disable dormant accounts.
・Limit administrator privileges to dedicated administrator accounts.
・Multi-factor authentication is required for externally exposed applications.
・Requires multi-factor authentication for remote network access.
・Requires multi-factor authentication for administrative access.
・Execute automated OS patch management.
・Execute automated application patch management.
・Use only fully supported browsers and email clients.
・Use DNS filtering service.
・Ensure that the network infrastructure is up-to-date.
・Deploy and maintain anti-malware software.
・Configure automatic antimalware signature updates.
・Disable autorun and autoplay for removable media.
・Train employees to recognize social worker attacks.
・Train employees to identify and report security incidents.
SMBs may not have considered or tested their recovery processes. Backups may not work properly, or in the case of ransomware, the rebuild’s stand has not been tested from the network.
Blueprint documentation includes links to recommended tools and resources. For SMBs with no IT experience, developing a list of these tools can be daunting, so it’s also recommended to check out the tools used by consultants. Discuss what processes they use and see if they have comparable resources.