Intelligent CIO Middle East Issue 19 | Page 79

EDITOR’S QUESTION MOHAMMED ABUKHATER, REGIONAL DIRECTOR, MIDDLE EAST AND AFRICA, FIREEYE There is a long list of known ransomware variants, with a marked increase in the brazenness, prominence, frequency and number of ransomware attacks in recent years. Some of the ones to watch out for include Cryptolocker and its variants, such as Kriptovor and Teslacrypt, Cerber, Dridex and Locky and most recently, WannaCry. Given this ever-present threat environment, what can organisations do to protect themselves against ransomware? There are five key areas of focus required for organisations to minimise the risk of the threat. The first is to minimise the likelihood that a phishing campaign will be successful, by educating users of the importance of knowing or verifying the origin, history, and trustworthiness of an email or website. This not only builds a pool of more aware users within the infrastructure, but also allows them to flag suspicious activity to the security experts. While not a foolproof method, this is a great way to limit the possibility of success right from the entry point. purposes. In these cases, the process can be whitelisted for more detailed review by experts. the same infrastructure, this step can go a long way in mitigating the impact of a ransomware attack. The second level of protection is to implement technology on email and web gateways that scans for known or suspicious URLs. Such solutions can help sort legitimate content from malware or unknown, suspicious sites. The fourth level is the use of network security solutions that can detect ransomware before it takes hold and can quarantine the suspicious process or even e-detonate it in an e-sandbox. It may even be able to utilise intelligence on known sources and features to detect the likelihood of the ransomware process from its download source or other attributes. The third layer of defence is to have technology installed on the end-user devices. This typically monitors the behavior of applications and usage, and can detect activity that indicates ransomware behaviour. For example, a process that is sequentially encrypting files is likely to be ransomware, and it could also possibly be a legitimate process used for data protection Finally, suspicious file activity on the server should be detected, using similar parameters as those on the endpoints. Servers also need to be backed-up on a daily – or even more frequent – basis, according to good data governance procedures and depending on the business need. As long as this backup plan involves storage that is inaccessible to ransomware from within None of these approaches are particularly new or innovative, but it is worthwhile to consider if all these have been deployed in a cohesive and strategic manner. Maturity around security considerations need not come from size-alone – probably the most- affected in the recent attacks were large enterprises, while smaller businesses and start-ups were less impacted due to less complex architecture, and possibly more control over digital assets of a more manageable size. www.intelligentcio.com The best way to avoid ransomware is to ensure that all digital assets are secured with a well-educated workforce guarded by planned and dynamic security protocol that is mature and effective even in a constantly-evolving threat landscape. ¡ INTELLIGENTCIO 79