Ransomware. How to protect yourself?

Transcription

1 Ransomware How to protect yourself? ED DUGUID, CISSP, VCP CONSULTANT, WEST CHESTER CONSULTANTS

2 Ransomware Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.

3 Understanding Ransomware User inadvertently runs exploit Begins encrypting data on infected computer Moves to encrypt data on local servers, SAN Backup replication replicates to off-site Possible replication to other devices,

4 Understanding Risk Monitoring

5 Top Ransomware NotPetya WannaCry Locky CrySis Nemucod Spora Cerber Cryptomix Jigsaw Jaff

6

7 Defense in Depth

8 Risk Response Strategy

9 Executive Risk Function Purpose SP provides guidance for an integrated, organization-wide program for managing information security risk Organizational Mission Functions Image Reputation Organizational Assets Individuals Other Organizations The Nation

10

11

12 Security and Privacy Controls for Information Systems and Organizations SP provides Security and Privacy Controls for Information Systems and Organizations Access Control Awareness and Training Assessment, Authorization, and Monitoring Configuration Management Contingency Planning Identification and Authentication Individual Participation Incident Response Maintenance

13 Access Control ACCESS CONTROL POLICY & PROCEDURES ACCOUNT MANAGEMENT ACCESS ENFORCEMENT SEPARATION OF DUTIES LEAST PRIVILEGE SYSTEM USE NOTIFICATION PREVIOUS LOGON (ACCESS) NOTIFICATION CONCURRENT SESSION CONTROL DEVICE LOCK SESSION TERMINATION UNSUCCESSFUL LOGON ATTEMPTS

14 Awareness and Training AT-1 AWARENESS AND TRAINING POLICY AND PROCEDURES AT-2 AWARENESS TRAINING AT-3 ROLE-BASED TRAINING AT-4 TRAINING RECORDS AT-5 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS

15 Awareness and Training CyberAwareness Challenge 2018

16 Audit and Accountability AU-1 AUDIT AND ACCOUNTABILITY POLICY & PROCEDURES AU-2 AUDIT EVENTS AU-3 CONTENT OF AUDIT RECORDS AU-4 AUDIT STORAGE CAPACITY AU-5 RESPONSE TO AUDIT PROCESSING FAILURES AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING AU-7 AUDIT REDUCTION & REPORT GENERATION AU-8 TIME STAMPS AU-9 PROTECTION OF AUDIT INFORMATION AU-10 NON-REPUDIATION AU-11 AUDIT RECORD RETENTION AU-12 AUDIT GENERATION

17 Assessment, Authorization, and Monitoring CA-1 ASSESSMENT, AUTHORIZATION, & MONITORING POLICY CA-2 ASSESSMENTS CA-3 SYSTEM INTERCONNECTIONS CA-4 SECURITY CERTIFICATION CA-7 CONTINUOUS MONITORING (NIST ) CA-8 PENETRATION TESTING CA-9 INTERNAL SYSTEM CONNECTIONS CA-5 PLAN OF ACTION AND MILESTONES CA-6 AUTHORIZATION, CA-7 CONTINUOUS MONITORING

18 Configuration Management CM-1 CONFIGURATION MGT POLICY & PROCEDURES CM-2 BASELINE CONFIGURATION CM-3 CONFIGURATION CHANGE CONTROL CM-4 SECURITY AND PRIVACY IMPACT ANALYSES CM-5 ACCESS RESTRICTIONS FOR CHANGE CM-6 CONFIGURATION SETTINGS CM-7 LEAST FUNCTIONALITY CM-8 SYSTEM COMPONENT INVENTORY CM-9 CONFIGURATION MANAGEMENT PLAN CM-10 SOFTWARE USAGE RESTRICTIONS CM-11 USER-INSTALLED SOFTWARE CM-12 INFORMATION LOCATION

19 Contingency Planning CP-1 CONTINGENCY PLANNING POLICY & PROCEDURES CP-2 CONTINGENCY PLAN CP-3 CONTINGENCY TRAINING CP-4 CONTINGENCY PLAN TESTING CP-6 ALTERNATE STORAGE SITE CP-7 ALTERNATE PROCESSING SITE CP-8 TELECOMMUNICATIONS SERVICES CP-9 SYSTEM BACKUP CP-9 SYSTEM BACKUP CP-10 SYSTEM RECOVERY & RECONSTITUTION CP-12 SAFE MODE CP-13 ALTERNATIVE SECURITY MECHANISMS

20 Identification and Authentication IA-1 IDENTIFICATION AND AUTHENTICATION POLICY &PROCEDURES IA-2 IDENTIFICATION AND AUTHENTICATION IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION IA-4 IDENTIFIER MANAGEMENT IA-5 AUTHENTICATOR MANAGEMENT IA-6 AUTHENTICATOR FEEDBACK IA-8 IDENTIFICATION AND AUTHENTICATION IA-9 SERVICE IDENTIFICATION & AUTHENTICATION IA-10 ADAPTIVE AUTHENTICATION IA-11 RE-AUTHENTICATION IA-12 IDENTITY PROOFING IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION

21 Individual Participation IP-1 INDIVIDUAL PARTICIPATION POLICY AND PROCEDURES IP-2 CONSENT IP-3 REDRESS IP-4 PRIVACY NOTICE IP-5 PRIVACY ACT STATEMENTS IP-6 INDIVIDUAL ACCESS

22 Incident Response IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES IR-2 INCIDENT RESPONSE TRAINING IR-3 INCIDENT RESPONSE TESTING IR-4 INCIDENT HANDLING IR-5 INCIDENT MONITORING IR-7 INCIDENT RESPONSE ASSISTANCE IR-8 INCIDENT RESPONSE PLAN IR-9 INFORMATION SPILLAGE RESPONSE IR-10 INTEGRATED INFORMATION SECURITY ANALYSIS TEAM IR-6 INCIDENT REPORTING

23 Additional Controls MAINTENANCE MEDIA PROTECTION PRICACY AUTHORIZATION PHYSICAL & ENVIRONMENT PROTECTION PLANNING PROGRAM MANAGEMENT PERSONNEL SECURITY RISK ASSESSMENT SYSTEM AND SERVICES ACQUISITION SYSTEM AND COMMUNICATIONS PROTECTION SYSTEM AND INFORMATION INTEGRITY

24 Leveraging Risk Strategy In addition to the risk management activities carried out at Tier 1 and Tier 2, risk management activities are also integrated into the system development life cycle of organizational information systems at Tier 3

25 Understanding Risk Monitoring NIST Information Security Continuous Monitoring (ISCM) Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions

26 How to respond to Ransomware Prevention Defense in depth, multi-layer, DR plan, Once execute isolate/contain remove from network, Assess level of incident Response team data recovery, unencrypt key,

27 Mediate Ransomware Tools Firewalls with filtering- current (CISCO, Sonicwall, etc) Antivirus Norton, McAfee, Sophos, Malware protection Malwarebytes, Spybot, Local Firewalls, Microsoft, Norton, McAfee, Backup external drives Backup Pro Network scanner Microsoft Baseline Security Analyzer,

28 Mediate Ransomware Access Control change your user from admin access, Segment users separate users on network Off-site storage of data, External data drives rotate, Transfer risk to cloud hosting services, CRM, apps Patching applications Update agents Antivirus, Defender HIDS, DLP Current versions of software Updates firewall definitions Firmware updates on hardware Annual Disaster Recovery testing, what if

29 Other tools Passwords LastPass, Dashlane Segment users separate VLAN, separate users on network Off-site storage of data, icloud External data drives rotate, Transfer risk to cloud hosting services, CRM, apps Annual Disaster Recovery testing, what if

30 Any Questions? Contact Info: LinkedIn: linkedin.com/in/edduguid Mobile Office