Page 48 - Cyber Warnings
P. 48
Apply all current operating system and application patches: Many ransomware strategies take
advantage of vulnerabilities in the operating system or in applications to infect an endpoint.
Having the latest operating system and application versions and patches will reduce the attack
surface to a minimum
Spam filtering and web gateway filtering: Again, the ideal approach is to keep ransomware off
the network and the endpoint. Spam filtering and web gateway filtering are great ways to stop
ransomware that tries to reach the endpoint through malicious IPs, URLs, and email spam
Allow only whitelisted items to execute: Use an “application control” method that offers centrally
administered whitelisting to block unauthorized executables on servers, corporate desktops, and
fixed-function devices, thus dramatically reducing the attack surface for most ransomware
Limit privileges for unknown processes: This can be done easily by writing rules for host
intrusion prevention systems or access protection rules
Infection Stage
Don’t turn on macros unless you know what’s happening: In general, do not enable macros in
documents received via email. Notice that Microsoft Office turns off auto-execution of macros
for Office documents by default. Office macros are a popular way for ransomware to infect your
machine, so if a document “asks” you to enable macros, don’t do it
Make yourself “weaker” when working: Don’t give yourself more login power than you need. If
you allow yourself administrator rights during normal usage, consider restricting this.
Surfing the web, opening applications and documents, and generally doing a lot of work while
logged in with administrative rights is very dangerous.
If you get hit with malware while you have fewer rights, you will reduce your risk because
malware will also execute with fewer rights, which will reduce the threat’s attack surface
Use access protection rules on software installs: Write access control rules against targeted file
extensions that deny writes by unapproved applications. This complements host intrusion
prevention systems rules with a similar strategy
Use sandboxing for suspicious processes: If a process is flagged as suspicious (due to low age
and prevalence, for example), that process should be sent to a security sandboxing appliance
for further study
Block “unapproved” processes from changing files: Block these by writing rules for host intrusion
prevention systems or access protection
48 Cyber Warnings E-Magazine – August 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide