1 / 15

Protecting Your Organization Against Ransomware (while ensuring no one sends you a Christmas card)

Protecting Your Organization Against Ransomware (while ensuring no one sends you a Christmas card). Timothy J Gallo Allan Liska @timjgallo @uuallan. About Us. Tim 15+ years in Networking and Security

randalltaylor
Télécharger la présentation

Protecting Your Organization Against Ransomware (while ensuring no one sends you a Christmas card)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protecting Your Organization Against Ransomware(while ensuring no one sends you a Christmas card) • Timothy J Gallo Allan Liska • @timjgallo @uuallan

  2. About Us • Tim • 15+ years in Networking and Security • Worked internationally on threat intelligence asset and product development • Phishing lures: Micro-distilleries, Motorcycles, Boba Fett, Arduino • Converting his burning man art car to pirate con ship • Allan • 15+ Years Experience in security • Written about: Intelligence, DNS, Ransomware and NTP. • Phishing Lures: Bordeaux, Redheads, Steelers, DC vs Marvel • Has the greatest fiancée ever.

  3. Requisite Scary Slide

  4. Types of Ransomware • Crypto ransomware • Encrypts data and files • Renders data useless until decryption key obtained • Does not deny access to computing resources • Targets weaknesses in user’s security habits • Locker ransomware • Denies access to computing resources • Locks the computer, preventing victims from using it • User can only interact with ransomware • May be remediated using data recovery tools

  5. Ransomware Attack Vectors • E-Mail • Locky is primarily delivered this way • Usually sent as a Microsoft Office Document with a macro • Alternatives are to send as a JavaScript (.js), Windows Scripting File (.wsf) or PowerShell File. • Targets weaknesses in user’s security habits • Web • Cerber and CryptXXX are delivered this way. • Works in conjunction with popular exploit kits such as RiG, Sunset and Magnitude. • Relies on unpatched browser plug-ins

  6. This is the part of the presentation where you lose friends... Quick and easy steps for protecting an organization from ransomware: • Administratively disable macros in Microsoft Office Documents across the organization. • Automatically delete any incoming email attachments that are .js or .wsf files and inspect any .zip, .rar, or .7z files. • Disable unnecessary browser plug-ins, especially Adobe Flash, Microsoft Silverlight, Java, and Adobe PDF. • Do not allow users to have local administrator privileges on their machines. These steps will stop a lot of ransomware from executing inside an organization, they won’t cost any money to implement and, for the most part, they will not impede productivity in an organization. These steps may result in push-back from users. The trick is to get user buy-in before implementing these steps, be willing to listen and compromise, and pick security battles.

  7. But you don’t have…you do have to think differently Too often security is thought of as the department of NO.

  8. Security needs to be more collaborative The security team needs to work with other teams to not just keep the organization more secure, but to do so collaboratively • Rather than simply ”laying down the law” security has to do a better job of explaining the why. • Explaining the why helps to get user buy-in to security policies, making them easier to enforce. • Security communication needs to be ongoing, security teams need to send out regular updates explaining new threats and how the organization is addressing those threats. • Making exceptions to security policies need to be non-onerous, there needs to be clear and well-defined documentation for how to make an exception. In short, security teams need to pick their battles. Stand firm on important security issues, but those that can be dealt with without having to put more burden on users should be addressed in other ways.

  9. Before we get to the rest…you have backups, right? • The easiest and most effective way to remediate a ransomware attack is to restore from backup. • Assuming backups are working. • Security teams aren’t responsible for backups, so they often don’t have any insight into how well the backup systems are working – and how often they are tested. • They might not even have insight into which systems are backed up. • This conversation should happen with the DR team, before ransomware hits the organization.

  10. No One Likes People Who Use Macros • Locky ransomware is the most delivered ransomware in the world. • Locky Team regularly launches campaigns to spam 10s of millions of users. • Relies primarily Microsoft Office documents with embedded macros. • These macros easily avoid detection by anti-virus vendors.

  11. No One Likes People Who Use Macros • Are macros really necessary? • For some users maybe, but for most users no. • Starting with Office 2013, administrators are able to globally ban macros. Do that. • Security teams can make exceptions for users who “need” macros. • Exceptions should include additional security awareness training and perhaps additional security monitoring.

  12. I am going to bash your PowerShell • Just as users don’t all need macros enabled, scripting engines do not need to be enabled on all workstations. • Remove the cscript.exe and wscript.exe and disable PowerShell administratively across all workstations. • Most users won’t notice this, but system admin teams might. • Work with the administrative team to re-write management scripts that use PowerShell so they originate from the admin workstation, rather than use the local PowerShell executable.

  13. Umm…I think we patched everyone • Ransomware that is delivered via the web relies on exploit kits. • This is not just a matter of users going to bad websites. • Even well-known websites, like uhh..Yahoo?, can be infected with malvertising. • That is why it is important to keep Internet-facing applications up to date. • And, why it is important to have an accurate inventory of what is on each system.

  14. Flash is No Superhero • Is it time to ditch Adobe Flash? • Exploit kits scan incoming web traffic and look for certain versions of browsers or plug-ins, notably: • Adobe Flash • Microsoft Silverlight • Java and JRE • Exploit kits like, the RiG EK, have exploits against: CVE-2014-0515, CVE-2014-0569, CVE-2016-4171, and CVE-2016-4166 and many more. . • Start by explaining the problem with these plug-ins, and that there are alternatives to use them. • Determine which teams need to use these plug-ins and which ones. Compromise with setting higher security settings.

  15. And you get local admin, and you get local admin, and… • Many organizations give all of their users local admin access to their machines. • Not having local admin makes it harder for ransomware to run on the local system. • Work with users and IT staff to set up a process for installing new software. • Create a list of approved applications, and a process for getting approval for other applications.

More Related