by Stephen Northcutt

A question came up on the GIAC Advisory Board: “How should an organization deal with ransomware?”

One of the members, Alan Waggoner, gave a good answer. All posts to that mailing list are private, so this is reposted with his permission.

1. Get reliable, tested backups of everything that is important.
2. Talk to the managers about their risk acceptance. They probably don’t realize what the potential damage and loss productivity, data, and revenue they are facing. Point out downtime and cost to recover.
3. White-listing applications like Bit9/Carbon Black won’t be effective in an environment where any user can install any software they want.
4. Limited administrative access on local computers is excellent for most malware, but ransom-ware tends to run as the local user and doesn’t require elevated privileges.
5. Centralize management of your endpoint AV so you would get real time notification of malware detection. However, don’t count on it because it would be signature based and relatively easy to bypass.
6. Segment the network and data as much as possible. Focus of accounting and payroll. Those departments should not have a need for local admin rights or installing random software.
7. End user security awareness training should be mandatory, with periodic phishing tests.

8. Set up gateway based email filtering (block dangerous extensions) and web content/malware filtering.

There is a lot more to do, but the above list should be enough to keep you busy for the foreseeable future and put you and your company on a better path than they are on now.