Ransomeware: how to defend?

Discussion in 'IT & Internet' started by Spreadsheet Accountant, Jun 26, 2021.

  1. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #1
    • Thanks Thanks x 1
  2. fisicx

    fisicx Moderator
    Verified Business ✔️
    Contributor

    34,763 10,626
    Backups are no use if the ransomware has been dormant for a while and all your backups are now encrypted.

    Or the ransomware has infected the whole network and backing up only restores data.

    The developers who write the code cover all their bases. There is no easy fix.
     
    Posted: Jun 26, 2021 By: fisicx Member since: Sep 12, 2006
    #2
  3. forevergroup

    forevergroup Full Member

    97 12
    Your question is a bit confusing because you’ve mentioned defending against ransomware but then talked about recovering from a successful attack.

    For defending against ransomware you really want enterprise-class endpoint protection, and effective web/email filtering. Use a defence-in-depth strategy by layering multiple vendors that use different databases and engines.

    Patch your endpoints and applications religiously.

    Evaluate intrusion prevention and breach detection mechanisms both at network edge and elsewhere.

    And if you’re really serious about it, revoke local admin and use something like Threatlocker.

    Unless you’re Fireeye then the vast majority of attacks use well-known vectors and mechanisms.

    It’s just a case of knowledge and investment.
     
    Posted: Jun 26, 2021 By: forevergroup Member since: Sep 12, 2020
    #3
    • Thanks Thanks x 2
  4. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    Sure. Though I disagree there are no defences and it has to be assumed backups are not online/local.
    So how does the small business defend itself? That's what we need to know, since enterprise security is not available to us.

    Your question is a bit confusing because you’ve mentioned defending against ransomware but then talked about recovering from a successful attack.

    My subject asks about how to defend and I include recovery in the realm of defence.
    Lost me as regards thinking I talk about recovery from a successful attack. Very happy to say I have not yet suffered this, though it is my greatest tech fear. Hence my question.

    Backups are no use if the ransomware has been dormant for a while and all your backups are now encrypted.

    My op says "offline" - no hacker can get at those short of physical premises access.
    "Offline" means disconnected, indeed switched off.
    This is why backup in depth is required, meaning daily (14 days?), weekly, 8 weeks? monthly and so on, and all offline except the current one; also preferably offsite.

    There is a massive amount of scare mongering, quite possibly rightly so and we need defences and not being told when it's too late "of course that did not work" - whatever it was.

    So, same question: what do we do? That can work without being an enterprise or cyber security specialists.

    Hopelessness is not an option.

    Anthony

    p.s. I suppose I could list my ideas and actual methods for you to critique
     
    Last edited: Jun 26, 2021
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #4
  5. Nico Albrecht

    Nico Albrecht Verified Business ✔️
    Full Member
    Contributor

    1,089 259
    The question was "Ransomeware: how to defend?"

    The simple answer is hire and pay a professional in that field. Like with any other question in accounts and legal the answer is: ask your account or a solicitor.

    Same goes for IT If you have to ask the question, pay for the advise is my best advise. A forum wont help much.

    Yes it is available to any business these days at reasonable costs per machine. That argument is not valid!

    Ransomware, Malware and Viruses are a very real threat to any business but plenty just ignore it or don't take professional help and pay for it.
     
    Posted: Jun 26, 2021 By: Nico Albrecht Member since: May 2, 2017
    #5
    • Thanks Thanks x 1
  6. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    Your average one man band is not in a position to pay professionals.
    Your "pay for advice" thesis goes for all the accounting and business advice asked for on here, so that would be me you pay for it.

    Yes it is available to any business these days at reasonable costs per machine. That argument is not valid!

    Yes it is. Your idea of reasonable is highly unlikely to be mine - first clue is you mention "per machine". However, try to be realistic, most are simply not going to pay, but telling them to separate their work network from their family network might be good advice.

    So this thread seems to be saying (a) not possible and (b) pay us and we will tell you.

    Really?

    Anthony
     
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #6
  7. forevergroup

    forevergroup Full Member

    97 12
    The simple answer here is to ask a Managed Services Provider to do you a favour.

    ‘MSPs typically don’t have to enforce minimum order quantities for enterprise-class products, because they are aggregated across their customer base.

    A contractor working for one of our clients asked me to help him out and now has:

    - SentinelOne Complete (used by 4 of the Fortune 10) with SOC monitoring
    - Huntress Breach Detection
    - Cisco Umbrella Insights Web Security
    - Proofpoint Advanced Email Security
    - M365 with Conditional Access, MFA, and a tweaked secure score
    - Windows 10 Business with all of the attack surface reduction features turned on
    - Kaseya with patch management for Windows and third party apps
    - Local encryption (Bitlocker)
    - Encrypted cloud backups with Acronis

    He may not know it but from a cyber security perspective the level he is at, most midmarket-enterprise sub-1000 employees would be proud of.

    He was perfectly happy with the pricing, too.
     
    Posted: Jun 26, 2021 By: forevergroup Member since: Sep 12, 2020
    #7
  8. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    I really cannot see my wife and her sowing business doing that.

    and Proofpoint .. no thanks. (feel it better I deleted my original response).

    So this is all aimed at large businesses and not one man bands. Contractors making many hundreds a day excluded.

    It's like you have no idea what a small business is. ("for example "sub-1000 employees")
    Should I be saying "micro" is that the language problem?

    and, thank you for that list to explore.

    Ransomewear Canaries - now THAT is clever. thanks
    Could we do that with this I wonder:
    https://fsmonitor.com/

    hopefully our polite hacker (their messages always look polite and helpful) doesn't cripple FS Monitor on sight. A backup Canary method looks wise.

    Anthony
     
    Last edited: Jun 26, 2021
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #8
  9. cjd

    cjd Verified Business ✔️
    Full Member
    Contributor

    15,517 3,139
    Obviously up-to-date anti-virus software but it seems that the major entry point these days is through phishing and social engineering.

    Some of the phishing attempts are pretty much indistinguishable from the real thing now and the only way to protect yourself from them in the long run is to never click on any link in an email or website, something that is very hard to do.

    Training is a protection, understanding what a bad email looks like (click on the senders email address) separating permissions (ie limiting the user's access to critical systems) and maybe using a separate computer just for email. Some guidance here

    https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
     
    Posted: Jun 26, 2021 By: cjd Member since: Nov 23, 2005
    #9
    • Thanks Thanks x 1
  10. Chris Ashdown

    Chris Ashdown Contributor

    12,350 2,590
    A simple but inconvenient method is to take the Email and internet search side of your business out of the inhouse network so most problems never get onto the ecommerce and accounts side of the business. use the separate computer to print out relevant info and pass onto the network for data input. slow and inconvenient but just leaves the ecommerce side to run on its own with relative safety just grabbing orders. Ok for very small outfits but totally unrealistic for bigger firms, but email and google are dangerous bed fellows

    Nothing stopping company employees having to separate systems, one for ecommerce etc and the second non networked
     
    Posted: Jun 26, 2021 By: Chris Ashdown Member since: Dec 7, 2003
    #10
    • Useful Useful x 1
  11. Nico Albrecht

    Nico Albrecht Verified Business ✔️
    Full Member
    Contributor

    1,089 259
    Most are for sure. They rather don't know and need education or they are stingy. Per device makes the most sense as it gets cheaper with volume.

    Realistically a cloud based, managed security solution ( less it admin, plenty out there ) would already decrease the attack vectors dramatically and could come in at less than £50 / device per year for enterprise tech.

    Throw in some training and a proper backup strategy and we are not looking at serious money here anymore.

    If a business can't afford to spend £120 / year per device it is not a business it is a hobby consumer at best.
     
    Posted: Jun 26, 2021 By: Nico Albrecht Member since: May 2, 2017
    #11
  12. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    yes agreed. We don't have any 'net shops here.

    I reckon she is better at not clicking on email links than I am, we "just don't do it" even if it's a "good link". I was surprised to see (in the pdf in my op) that phishing emails represent only 30% - so 70% are other methods (also listed).

    something that is very hard to do.

    Dead right.

    Must say I am hooked on that Canary idea, that's a chance to actually catch the expletive deleted perpetrators in the act.

    I am slowly slowly moving everything to being in the cloud, so as long it's not mounted at my end I reckon that content should be ok, unless the cloud system gets hacked.

    To date I rely on multiple sorts of on and offline and cloud backups some with date based roll backs up to a 12 months.

    Gotta go feed my new canary.

    Anthony
     
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #12
  13. forevergroup

    forevergroup Full Member

    97 12
    You may be overestimating what we actually charged him.

    You asked how to defend against Ransomware, and I told you.

    Unwise to hate on Proofpoint. Very clever people there and just got bought for $12bn

    If decent protection on a shoestring is the main objective then you could do a lot worse than Bitdefender.

    You can get a premium consumer subscription to OpenDNS fairly cheaply, too.
     
    Posted: Jun 26, 2021 By: forevergroup Member since: Sep 12, 2020
    #13
  14. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    thanks - still exploring the Canary idea. Just brilliant.

    My proofpoint comment is a result of experience of them, I regret to say. The sale price just illustrates how they have no interest in collateral damage to small businesses.
    No hate involved, a word I disapprove of in general parlance as being unnecessary hyperbole.

    You asked how to defend against Ransomware, and I told you.

    I disagree. To explain: your no doubt excellent response is way outside anything a one man band can or is even willing to do. Sure there may be outliers. Dare I venture that as an M.D. it is an occupational hazard to always believe there are others to direct and still others to do things. However, I do value your even trying to assist, thank you.
    AND: your list of things you implemented for your contractor client is in itself very interesting as a list of things to try to emulate. Especially the Canary, I love that.


    For DNS I use DNS over HTTPS
    but again thanks for the suggestion.

    Yes I use Bitdefender.
    and again thanks for the suggestion.

    You may be overestimating what we actually charged him.
    Anything is possible.

    You are underestimating me - perhaps the "spreadsheet" moniker is misleading.

    Regards

    Anthony
     
    Last edited: Jun 26, 2021
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #14
  15. Ozzy

    Ozzy Founder of UKBF UKBF Staff
    Verified Business ✔️
    Contributor

    4,119 709
    The answer to this is... ^^^
    This... ^^^
    That can cost nothing more than spending time on YouTube and reading blogs and articles. However having said that...
    This I feel is a false economy that so many small businesses (and large) fall foul of;
    • Don't pay an accountant because it's too expensive, but spend hours trying to do your own books rather than using your time to grow your business.
    • Don't pay a solicitor for legal advice, but lose thousands over flawed terms and contracts.
    • Don't pay a website developer, but have a poor quality website that makes your business look amateur and unprofessional.
    • Don't pay for the correct security for your business IT, and lose it all when you get hacked or invected by ransomware.
     
    Posted: Jun 26, 2021 By: Ozzy Member since: Feb 9, 2003
    #15
  16. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    This I feel is a false economy that so many small businesses (and large) fall foul of;

    I quite agree, but it doesn't change the reality, especially after over a year of pandemic

    and this is very moot:
    correct security for your business IT
    Same size and finances assumptions.
    Sometimes we just have to do things ourselves, like the vast number of people asking questions on here. I am surprised you would admonish them. As a practising accountant what you say suits me down to the ground, but these forums don't seem to be the place for paid services etc and certainly not in any first instance. You deleted my first attempt to help someone saying it was self serving.

    Anthony
     
    Last edited: Jun 26, 2021
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #16
  17. forevergroup

    forevergroup Full Member

    97 12
    You asked about defending against ransomware, and as far as I can see you’ve received some fairly astute responses from several people.

    What you probably should have asked is how do I defend against ransomware… if I want to DIY it with limited knowledge and no cyber security budget.

    The answer is you can’t, otherwise the world’s businesses would all use free webmail, backup local files to a £100 NAS, use their free ISP router, and ask John in Finance to manage their InfoSec policy on the side.

    [NB: some companies DO do this of course. Until they get hacked]

    The best you can really do is use a reasonable AV, keep some decent cloud backups, and prey you don’t click anything nasty.

    Also consider that ransomware defence is only one piece of the cyber security puzzle. You should be equally concerned about credential compromise.

    In the absence of other systems and controls, MFA is going to be your best friend here - and consider a decent password manager.

    Best of luck…
     
    Posted: Jun 26, 2021 By: forevergroup Member since: Sep 12, 2020
    #17
  18. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
    I never said my knowledge was limited, you are assuming that and much else.
    Far as I know there isn't any AV that can defend against ransomeware. If there was they would be making an absolute killing.

    only one piece of the cyber security puzzle
    Yes of course it is.

    consider a decent password manager.
    I consider Lastpass to be good.

    local files to a £100 NAS
    My NAS drives come in at ten times that and more, plus Acronis.
    Offsite backups of course; to like minded operators.

    ask John in Finance to manage their InfoSec policy
    And there ye go: there is no "John in Finance" in a single person business.
    Likewise using jargon like "InfoSec".

    prey you don’t click anything nasty.

    I don't really think prayer is an adequate defence as such deities tend to help those who help themselves.

    equally concerned about credential compromise.

    Indeed, starting with haveIbeenpwned.com
    and in addition to that I use a unique login email address in EVERY instance where such is required. I also use unique and long passwords for every such occasion.
    And
    I never disclose my date of birth on the internet.
    and... and much more.

    However, ransomeware is the one against which the average user has no defences and given them/us at least the principles of strategies to engage would offer at least the beginnings of defences. For example exactly what forms of backup cannot be accessed by ransomeware?
    Item one is a disconnected hard disk. One a day for 14 days, rolling. Or maybe one every two days given they usually wait at least three days.
    Item two is several terabytes of cloud storage with history roll back which is not accessible to the malware.
    Item three is local NAS drive backups also with roll back, but this is more vulnerable and def must NOT be "mounted".
    Item four is dropbox snapshots frozen in time, stored remotely offline.

    It is a given that all updates and patches are installed as appropriate..

    Bear in mind that paying someone is basically also a ransomeware cost, before ever being attacked.

    Inspired by the various responses in here, none of which really achieve what I had hoped, I think because there is of course no profit in my area of the market, or lack of one: I have found and implemented this:
    Fleetsmith and Santa
    Open source always like.
    And Fleetsmith is up to 10 devices forever free; I don't have ten.

    So, thank you all for the inspiration. Priceless! To my ultimate pleasant surprise.

    Best of luck…
    Likewise.

    Regards

    Anthony
     
    Last edited: Jun 26, 2021
    Posted: Jun 26, 2021 By: Spreadsheet Accountant Member since: Jun 12, 2021
    #18
  19. Spreadsheet Accountant

    Spreadsheet Accountant Full Member

    49 5
  20. Mr D

    Mr D Contributor

    28,528 3,537
    LastPass is good. Until they get hacked. Again.

    What you appear to want is not what other people are suggesting you get. Perhaps a forum isn't that much use to you, instead sit down with an IT professional who knows about Ransomware and see what they suggest based on your full needs.
     
    Posted: Jun 27, 2021 By: Mr D Member since: Feb 12, 2017
    #20