4 4 3 Beefalo:Ransomware Protection Best Practices
Ransomware is a type of malware attack that infects computer(s) and prevents users from accessing their system or personal files by encrypting the data (user and system files, for example, Windows system restore points and shadow copies).
Users can unintentionally allow ransomware to access a computer through different entry points, such as phishing spam (phishing email attachments). Once they are downloaded and opened, they infect computer systems. Ransomeware can also be downloaded onto systems when visiting malicious or compromised websites.
Once ransomware is executed in the system, the data is encrypted and impossible to access unless a ransom is paid in exchange for decryption. Not only the data can be lost, more often there is a threat to sell or leak critical company data or authentication information if the ransom is not paid.
Ransomware can be devastating to an organization as it can severely impact business processes and prevent organizations to deliver mission-critical services; it can also result in reputational damage with customers (lost trust), additional costs, etc.
Consequently, protecting information from ransomware attacks should be a top priority for any organization. There are a number of defensive steps you can take to prevent ransomware infection:
- back up and update your system regularly
- store your backups on a separate device
- keep your personal information safe
- pay attention when opening links and attachments, etc.
Protect your SEP sesam environment by employing the following best practices.
Protecting SEP sesam Server and RDS from ransomware
- Use the Linux system as SEP sesam Server or RDS; see Configuring RDS (Linux example). Note that the SEP sesam backup Server or RDS should not be domain members.
- Do not activate LDAP/AD authentication in the GUI to authenticate users against an external directory. For details, see Configuring LDAP/AD Authentication.
- Allow management access ssh/rdp and GUI only over a physically separated secure management network or VLAN without routing to the internet.
- Restrict access ssh/rdp/GUI/REST API only via Privileged Access Management (PAM) solution or a secured jump host.
- Access ssh/rdp only with multi-factor-authentication (password and certificates); see About Authentication and Authorization.
- Harden the operating system of SEP sesam and RDS Server according to standard security recommendations.
- Configure ACLs to restrict access to only the people that require it. See Using Access Control Lists.
- Follow the principle of least privilege (POLP) and enforce the minimal level of user rights; for each SEP sesam service, use a separate service user with the lowest clearance level that allows the users to perform their role. Each user should have only those permissions which are essential to perform an authorized activity. The Domain Admin should never be used; instead, use a regular (restricted) user account for your day-to-day work.
- Secure backup-to-disk data with regular hardware snapshots on a storage system.
- Use a resilient backup strategy and keep at least 3 copies of your data on different media, especially on immutable storage off-site. See Backup Strategy Best Practices.
- Select secure SMSSH access mode when configuring SEP sesam Client(s). See Access Modes.
Responding to ransomware infection
While all these practices are effective, it is impossible to completely protect your system from attacks. In the event of a ransomware attack, to limit the damage consider the following:
- Do not pay any ransom demanded by the cybercriminals. There is no guarantee that the decryption key will be delivered, so you could lose data, money, and time if the ransom is paid.
- Isolate the infected system(s) by disconnecting from any networks and the internet.
- Ensure that the backup data is offline and secure.
- If possible, take a snapshot of the system memory.
- Shut down the system to prevent the further spread of ransomware.
- Report ransomware incident to SEP support.