4 4 3 Beefalo:Ransomware Protection Best Practices
Ransomware is a type of malware attack that infects computers and prevents users from accessing their system or personal files by encrypting their data (user and system files, such as Windows system restore points and shadow copies).
Users can inadvertently allow ransomware to access a computer through various entry points, such as phishing spam (phishing email attachments). Once downloaded and opened, they infect computer systems. Ransomware can also be downloaded onto systems when malicious or compromised websites are visited.
Once ransomware is executed in the system, the data is encrypted and access to it is impossible unless a ransom is paid in exchange for decryption. Not only can the data be lost, but more often there are threats to sell or share critical company data or authentication information if the ransom is not paid.
Ransomware can be devastating to an organization as it can severely disrupt business processes and prevent companies from providing mission-critical services; it can also result in reputational damage to customers (lost trust), additional costs, and more.
Consequently, protecting information from ransomware attacks should be a top priority for any organization. There are a number of defensive steps you can take to prevent ransomware infection:
- Back up and update your system regularly
- Store your backups on a separate device
- Keep your personal information secure
- Be careful about opening links and attachments
Protect your SEP sesam environment by employing the following best practices.
Protecting SEP sesam Server and RDS from ransomware
- Use the Linux system as the SEP sesam Server or RDS; see Configuring RDS (Linux example). Note that the SEP sesam backup Server or RDS should not be a domain member.
- The backup server should not be part of a Windows domain.
- Do not enable LDAP/AD authentication in the GUI to authenticate users against an external directory. For details, see Configuring LDAP/AD Authentication.
- Allow management access ssh/rdp and GUI only over a separate secure management network or VLAN with no routing to the Internet.
- Restrict ssh/rdp/GUI/REST API access only through the Privileged Access Management (PAM) solution or a secured jump host.
- Access ssh/rdp only with multi-factor authentication (password and certificates); see About Authentication and Authorization.
- Harden the operating system of SEP sesam and RDS Server according to standard security recommendations.
- Configure ACLs to restrict access only to those who need it. See Using Access Control Lists.
- Follow the principle of least privilege (POLP) and enforce the minimum level of user privileges; for each SEP sesam service, use a separate service user with the lowest level of sharing that allows users to perform their role. Each user should have only the permissions necessary to perform an authorized activity. Domain Admin should never be used; instead, use a regular (restricted) user account for your daily work.
- Secure backup-to-disk data with regular hardware snapshots to a storage system.
- Use a resilient backup strategy and keep at least 3 copies of your data on different media, especially on immutable off-site storage. See Backup Strategy Best Practices.
- Consider using an HPE StoreOnce appliance that provides data immutability. During the defined period of data immutability, the stored data cannot be encrypted, modified in any way, or deleted, even in the event of a ransomware attack. Organisations can use immutable backups to restore their data to a state that is still intact and unaffected by the malware. For details, see HPE StoreOnce Configuration.
- Select the secure SMSSH access mode when configuring SEP sesam Client(s). See Access Modes.
Responding to a ransomware infection
Although all of these measures are effective, it is impossible to completely protect your system from attack. To limit the damage in the event of a ransomware attack, consider the following points:
- Do not pay a ransom demanded by the cybercriminals. There is no guarantee that the decryption key will be delivered, so you could lose data, money, and time if the ransom is paid.
- Isolate the infected system(s) by disconnecting it from all networks and the Internet.
- Ensure backup data is offline and secure.
- If possible, create a snapshot of the system memory.
- Shut down the system to prevent further spread of the ransomware.
- Report the ransomware incident to SEP support.