5 1 0:Ransomware Protection Best Practices
Overview
Ransomware is a type of malware attack that infects computers and prevents users from accessing their system or personal files by encrypting their data (user and system files, such as Windows system restore points and shadow copies).
Users can inadvertently allow ransomware to access a computer through various entry points, such as phishing spam (phishing email attachments). Once downloaded and opened, they infect computer systems. Ransomware can also be downloaded onto systems when malicious or compromised websites are visited.
Once ransomware is executed in the system, the data is encrypted and access to it is impossible unless a ransom is paid in exchange for decryption. Not only can the data be lost, but more often there are threats to sell or share critical company data or authentication information if the ransom is not paid.
Ransomware can be devastating to an organization as it can severely disrupt business processes and prevent companies from providing mission-critical services; it can also result in reputational damage to customers (lost trust), additional costs, and more.
Consequently, protecting information from ransomware attacks should be a top priority for any organization. There are a number of defensive steps you can take to prevent ransomware infection:
- Back up and update your system regularly
- Store your backups on a separate device
- Keep your personal information secure
- Be careful about opening links and attachments
Protect your SEP sesam environment by employing the following best practices.
Protecting SEP sesam Server and RDS from ransomware
To protect your environment from ransomware, consider the following practices for SEP sesam Server and RDS:
Tip | |
With Jaglion V2 release, you can use SEP Immutable Storage, also called Si-Storage or SiS. SiS is based on Si3 NG store. The new SiS functionality is based on the file protection service (FPS) and provides built-in security features to maintain data integrity, such as a WORM (Write-Once-Read-Many) function, definable immutability, audit logs, etc. SiS can play a crucial role in a ransomware scenario, because even with full admin access to the SEP sesam backup server, the attackers cannot delete your backup data or modify or encrypt it in any way. See SEP Immutable Storage – SiS. |
- Use a different OS for the SEP sesam Server or RDS (e.g., Linux in Windows environments); see Configuring RDS (Linux example). Note that the SEP sesam backup Server or RDS should not be a domain member.
- The backup server should not be part of a Windows domain.
- The SEP sesam backup Server or RDS should not have any additional roles, for example domain controller, mail server, or similar.
- Do not enable LDAP/AD authentication in the GUI to authenticate users against an external directory. For details, see Configuring LDAP/AD Authentication.
- Allow management access ssh/rdp and GUI only over a separate secure management network or VLAN with no routing to the Internet.
- Restrict ssh/rdp/GUI/REST API access only through the Privileged Access Management (PAM) solution or a secured jump host.
- Access ssh/rdp only with multi-factor authentication (password and certificates); see About Authentication and Authorization.
- Harden the operating system of SEP sesam and RDS Server according to standard security recommendations.
- Configure ACLs to restrict access only to those who need it. See Using Access Control Lists.
- Follow the principle of least privilege (POLP) and enforce the minimum level of user privileges; for each SEP sesam service, use a separate service user with the lowest level of sharing that allows users to perform their role. Each user should have only the permissions necessary to perform an authorized activity. Domain Admin should never be used; instead, use a regular (restricted) user account for your daily work.
- Secure backup-to-disk data with regular hardware snapshots to a storage system.
- Use a resilient backup strategy and keep at least 3 copies of your data on different media, especially on immutable off-site storage. See Backup Strategy Best Practices.
- Consider using an HPE StoreOnce appliance that provides data immutability. During the defined period of data immutability, the stored data cannot be encrypted, modified in any way, or deleted, even in the event of a ransomware attack. Organisations can use immutable backups to restore their data to a state that is still intact and unaffected by the malware. For details, see HPE StoreOnce Configuration.
- Disable HTTP and FTP data traffic and switch to HTTPS for more secure data transfer. See Disabling unsecure transport modes.
- Select the secure SMSSH access mode when configuring SEP sesam Client(s). See Access Modes.
Responding to a ransomware infection
Although all of these measures are effective, it is impossible to completely protect your system from attack. To limit the damage in the event of a ransomware attack, consider the following points:
- Do not pay a ransom demanded by the cybercriminals. There is no guarantee that the decryption key will be delivered, so you could lose data, money, and time if the ransom is paid.
- Isolate the infected system(s) by disconnecting it from all networks and the Internet.
- Ensure backup data is offline and secure.
- If possible, create a snapshot of the system memory.
- Shut down the system to prevent further spread of the ransomware.
- Report the ransomware incident to SEP support.
See also
SEP Immutable Storage – SiS – About Authentication and Authorization – Backup Strategy Best Practices – Configuring RDS (Linux example) – Using Access Control Lists