Many network administrators believe that the main wave of ransomware has subsided and that we can expect a steady reduction in the number of attacks. Thus, they ease up on protection measures in favor of more important tasks.
This kind of negligent attitude, however, cost a South Korean company $1 million in ransom, and there are likely many more victims. If you want to save your company this trouble, learn about ways to protect your network from ransomware. At the very least, make sure you do what’s described in this checklist; experience shows that overlooking basic security measures often leads to the most horrific consequences.
Network segmentation. Use separate subnets for different departments, virtual machine networks, and servers. Subnets can be connected with gateways to improve security. With properly configured gateways, even if one machine or subnet is compromised, infecting the rest of the network will be difficult. Broadcasts are limited by the size of the subnet and are not sent to other network segments, which mitigates the influence of attacks, such as ARP spoofing attacks.
Access restriction policies. Don’t provide full access in cases when you can avoid this. Configure user accounts with appropriate non-administrative permissions when possible. If you have any shared resources, provide read-only access to users and groups who don’t need write permissions. Allow access to servers or networks only for users that need them in their work. Disable services that are not used.
Gateway configuration for networks. Configure NAT, firewalls, and access rules for network gateways. Close unused ports, especially on external network interfaces, allowing access only for trusted IP addresses and networks. Changing standard port numbers may reduce the number of automatic scanning attempts. For example, you could change TCP port 22, which is used by SSH, to any another free TCP port number.
Use port forwarding for providing access from external networks to services on hosts located in internal networks. You can change the port number on the external network interface of a gateway as needed. For example, you could forward port TCP 8082 from the gateway to TCP 80 (HTTP) on a host located in the local area network behind the NAT.
Have separate accounts for VPN users.
MAC/IP anti-spoofing protection. There is a vulnerability based on ARP in IPv4 networks that is used for ARP-spoofing attacks (also known as ARP-poisoning). With attacks of this type, such as man-in-the-middle attacks, the malefactor can intercept sensitive data that is transmitted over the network or redirect you to a malicious site and infect your system.
DNS spoofing can also take place. In order to prevent attacks of this type, configure the appropriate packet filtering rules with firewalls on your gateway. Reject packets addressed from networks that don’t match the sending interface. Use secure protocols that support encryption, such as HSTS, HTTPS, SSL, TLS, SSH, and IPsec.
NAT and proxy servers with firewalls. Configure a proxy server on your gateway with Network Address Translation and firewalls to share the internet connection securely for your LAN. Block IP-addresses and networks known to be malicious. Prevent users from connecting their own modem devices, such as phones, for internet access inside your LAN.
Filename spoofing protection. Malefactors can spoof file names, allowing malicious executable files to masquerade as harmless ones. A common method is using names such as picture.jpg.exe or music.mp3.exe (for Windows systems). Configure the folder options and deselect the “Hide extensions for known file types” checkbox in the View section. You can also prohibit the downloading of such files with a content filter on your proxy server.
Another method of extension spoofing is Right-to-Left Override (RTLO or RLO), using special bidirectional control characters intended for changing the order of writing in Unicode file names. For example, the spoofed file names would show up as exe.mplary.pdf or axexe.txt while the original names are □fdp.yralpm.exe and ax□txt.exe. In these examples, the square signifies the RTLO character. Keep an eye on file names and configure your folder options in Windows: set View -> Details or View -> Content. Be aware that spam emails can contain files with spoofed names as attachments.
Anti-spam and anti-malware filters. Enable and configure filters on the mail server. If you don’t have a mail server, install an anti-spam filter for your email client. Using the Sender Policy Framework (SPF) can help you filter emails with spoofed sender names.
Antivirus. Signature-based antivirus can recognize known ransomware. However, cybercriminals test their malware before release to make sure that AV cannot detect the infection. Look for antivirus software that supports both behavior-based and signature-based detection
Strong passwords and certificates. Use strong passwords that contain at least eight characters including both upper and lower case letters, digits, as well as special symbols. Use key-based authentication with certificates for VPN and SSH connections when possible.
Most importantly, be proactive, not reactive, in your defense.
Michael Bose is a VMware administrator at NAKIVO with 10+ years of experience in the virtualization area. He is also an active contributor to the NAKIVO Blog.