EDITOR’S QUESTION
MOHAMMED ABUKHATER,
REGIONAL DIRECTOR,
MIDDLE EAST AND AFRICA, FIREEYE
There is a long list of known
ransomware variants, with a
marked increase in the brazenness,
prominence, frequency and number of
ransomware attacks in recent years.
Some of the ones to watch out for
include Cryptolocker and its variants,
such as Kriptovor and Teslacrypt,
Cerber, Dridex and Locky and most
recently, WannaCry.
Given this ever-present threat
environment, what can organisations
do to protect themselves against
ransomware? There are five key areas
of focus required for organisations to
minimise the risk of the threat.
The first is to minimise the likelihood
that a phishing campaign will be
successful, by educating users of the
importance of knowing or verifying the
origin, history, and trustworthiness of
an email or website. This not only builds
a pool of more aware users within the
infrastructure, but also allows them to
flag suspicious activity to the security
experts. While not a foolproof method,
this is a great way to limit the possibility
of success right from the entry point.
purposes. In these cases, the process
can be whitelisted for more detailed
review by experts. the same infrastructure, this step can
go a long way in mitigating the impact
of a ransomware attack.
The second level of protection is to
implement technology on email and
web gateways that scans for known or
suspicious URLs. Such solutions can help
sort legitimate content from malware or
unknown, suspicious sites. The fourth level is the use of network
security solutions that can detect
ransomware before it takes hold and
can quarantine the suspicious process
or even e-detonate it in an e-sandbox.
It may even be able to utilise
intelligence on known sources and
features to detect the likelihood of the
ransomware process from its download
source or other attributes. The third layer of defence is to have
technology installed on the end-user
devices. This typically monitors the
behavior of applications and usage,
and can detect activity that indicates
ransomware behaviour. For example, a
process that is sequentially encrypting
files is likely to be ransomware, and
it could also possibly be a legitimate
process used for data protection Finally, suspicious file activity on the
server should be detected, using similar
parameters as those on the endpoints.
Servers also need to be backed-up
on a daily – or even more frequent
– basis, according to good data
governance procedures and depending
on the business need. As long as this
backup plan involves storage that is
inaccessible to ransomware from within None of these approaches are
particularly new or innovative, but it
is worthwhile to consider if all these
have been deployed in a cohesive and
strategic manner. Maturity around
security considerations need not come
from size-alone – probably the most-
affected in the recent attacks were large
enterprises, while smaller businesses
and start-ups were less impacted due to
less complex architecture, and possibly
more control over digital assets of a
more manageable size.
www.intelligentcio.com
The best way to avoid ransomware
is to ensure that all digital assets are
secured with a well-educated workforce
guarded by planned and dynamic
security protocol that is mature and
effective even in a constantly-evolving
threat landscape. ¡
INTELLIGENTCIO
79