What's better than aspirational resolutions? Practical tips for getting them done. Do these three things and you'll make your organization measurably more secure in 2017.
It’s that time of year again. Time to swear off the sweets. Get in shape. Learn a new skill. Tell yourself this is the year you finally learn how to play that banjo you don't quite remember ordering online late one night.
Unlike those personal resolutions you already know you’re not going to keep, resolving to make your organization more secure this year is something worth sticking with and doing right.
That said, the last thing you need is another lofty to-do list to beat yourself up over. That's why we've boiled things down to three primary goals that the most successful infosec professionals set for themselves — along with clear, practical step-by-step tips to help you actually achieve them.
Resolution #1: Make users part of the solution
We all know the vast majority of security issues stem from the lovable walking, talking vulnerabilities we work with everyday. But while it’s tempting to view users as purely a problem waiting to happen and focus primarily on establishing restrictions, treating users as strictly a liability ensures that’s all they’ll ever be.
A more productive, sustainable approach is to help your users understand and value your organization’s security by learning how to work with you rather than against you.
Cheat sheet: Here’s how to do it
Train users how to spot phishing emails
Phishing emails are the top delivery vehicle for ransomware and other malware. Take the time to show your users real examples of phishing emails so they can see what they look like and gain appreciation for just how clever and legitimate they can appear (here's one that almost fooled our CEO). Help them learn to recognize tale-tell warning signs, such as mismatched sender info, poor grammar, and suspicious URLs.
Downloadable phishing email examples: You can download a collection of phishing email examples to share with users in our Phishing Field Guide.
Give users a clear process for reporting suspicious emails and activity
Many of today’s most dangerous threats, including ransomware, have evolved to spread rapidly once initial victims are infected (see stats on how quickly ransomware goes to work encrypting files here). That means it’s more important than ever for users to report incidents and malicious activity as quickly as possible.
To help encourage users to actually follow through on that, make sure you have a simple and easy reporting process you can train them on.
Important: make it clear no one is going to get punished for reporting an incident. Instead, come up with simple ways you can incentivize and reward them for using the process (with shout-outs, gift cards, whatever you think might work best).
List of ideas for incentivizing user security awareness: See this Spiceworks forum thread for a bunch of tactics IT pros are using to get their users to care about security.
Share security alerts on a regular basis
The way many cyber criminals operate is by deploying their malware in waves (often via phishing email campaigns). By subscribing to security alerts from vendors like KnowBe4, you can catch wind of new campaigns early, and if you act quick enough you can warn your users to be on alert in advance.
Sharing alerts on a regular basis — as well as examples of attacks that compromised companies that are similar to yours — can be a great way of keeping security top of mind for your users. Just keep in mind your users’ inboxes can be cluttered places. Not every email you send them is going to be poured over with rapt devotion. For tips on getting their attention, see our post “How to Write Security Emails Users Will Actually Read”.
Configure user settings to show file extensions by default
One way for attackers to disguise their malicious programs and get users to open them is by hiding the true file extension. Many users may know to be suspcious of .exe files, but since Windows actually hides extensions by default, that opens the door for trickery.
Ex: A user may see a file seemingly named presentation.xlsx and expect clicking it will open a spreadsheet. But the file is actually presentation.xlsx.exe and clicking it launches a malicious executable.
For that reason, it's a good idea to ensure Windows shows file extensions by either setting the registry key "HideFileExt" to 0 or opening Control Panel > Appearance and Personalization, then File Options > View tab and uncheck "Hide extensions for known file types."
Give users additional safety nets that protect them from inevitable mistakes
These can include restrictions (application whitelisting, limiting account privileges, disabling Microsoft Office macros and Windows Script Host, etc.) designed to limit malicious programs from running or at the very least from spreading and compromising more systems.
This is also where having reliable backups comes in. Not only is it critical for them to be implemeted properly, they also need to be tested regularly. See this post for 3 tips to make sure your backup is ransomware ready.
"User-proof" your endpoints with Barkly: We operate on the assumption that, sooner or later, a user is going to inadvertently trigger an attack. Barkly was built to be the last line of defense when that happens. In addition to immediately detecting malicious activity and blocking attacks at runtime, Barkly also automatically alerts both you and the user so they can understand they dodged a bullet and need to be more careful next time. See how it works here.
Resolution #2: Gain better visibility into what’s happening on your network and endpoints
With the exception of ransomware — which announces its presence with a ransom note like a brick through your window — the majority of malware is created to run silently on your systems and avoid notice. Often, the only way to identify it's there is to detect anomalies in traffic and/or behavior. To detect an anomaly, however, you need to be able to monitor activity and you need to know what that activity is supposed to look like. The more visibility and better understanding of that you have of that, the better.
Cheat sheet: Here’s how to do it
First understand what “normal” network activity looks like
As security tactician Pete Herzog explains in our Open Source 2017 Cybersecurity Playbook, make a routine of examining the protocols on your network, how systems interact with each other, the ways the employees use their desktops, and how mobile devices operate in your environment. Fire up a packet sniffer to watch live traffic in different segments, and make sure you know what it all is and whether it should even be there. If you can get a professional tool for constantly monitoring traffic, like a SIEM, even better. Then track down those anomalies.
Leverage users as additional eyes and ears
Again, advice from Pete: You should also get in the habit of proactively talking to employees and asking how things are running. Complaints such as a noisy hard drive, a slow system, or strange messages can then be immediately investigated. If you are prepared to perform quick recoveries, a system that is acting suspicious can be quickly wiped and reinstalled.
Install endpoint protection that tells you when and how attacks get triggered (plus which user set things off)
Not only can tools like Barkly block attacks, they can also provide data on user and endpoint activity. In the case of Barkly, a cloud-based management portal allows you to immediately identify the source of a would-be infection and get insight into the cause. That means no more scrambling to identify patient zero and wrangle out of them what they did to trigger it.
Since many phishing attacks come in waves and target multiple users at once, getting that insight and quickly issuing a company-wide alert can be critical.
Resolution #3: Be ready to deal with ransomware
Ransomware quickly became the #1 security threat for organizations of all shapes and sizes last year, and this year experts predict ransomware strains will evolve to become even more dangerous (see the 3 biggest changes our CTO is predicting here).
To help you prepare for a rapidly increasing variety of possible ransomware scenarios we've put together a complete Ransomware Survival Guide that's free to download and check out. In the meantime, here are a few specific ransomware prevention and remediation tips to consider.
Cheat sheet: Here’s how to do it
Disable Microsoft Office macros
The use of macro-based malware goes back a while, but last year saw a new spike as it became a favorite delivery vehicle for ransomware. Hiding malware in Office docs is an effective tactic as users are far more comfortable and likely to open them vs. a random executable.
In order to work, however, users still need to agree to "enable content/macros" when they open the file. To ensure you maintain that extra hurdle it's a good idea to make sure macros are disabled by default.
Use File Server Resource Manager (FSRM) to detect and isolate infections
Dealing with an isolated ransomware infection on a single user's machine is one thing. Dealing with an infection that's spread to network shares and an entire file server is another. Making sure user privileges and access is limited to the bare minimum is one good, proactive thing you can do to limit the potention damage of an attack. Using File Server Resource Manager to monitor shares for common ransomware activity and block infected user access is another. Here's a great tutorial on how to set that up from the Netwrix blog.
Protect your endpoints by augmenting antivirus with runtime protection
Ransomware authors utilize a variety of tricks to bypass antivirus and other traditional security solutions. According to a recent survey we conducted with 60 ransomware victims, 100% of them had been running AV, 95% had firewalls in place, and 77% had email filtering at the time of the attack. The ransomware bypassed them all.
Knowing that it's extremely likely for infections to bypass these pre-execution defenses, you should ideally have a last line of defense that blocks malware at runtime and prevents the attack from fully executing. Using Software Restrictions Policies to block executables from running in specific locations is one thing you can do. Utilizing a tool specifically designed for runtime protection (like Barkly) is another.
Be truly backup ready
As mentioned above, it's not enough to think you have a solid backup strategy in place. You need to fully test your ability to restore data to be absolutely sure you can rely on backup when it matters most.
Bonus: More quick wins for improving your security in 2017 — no new budget required
Whether you already have changes planned for your security stack or not, there are plenty of things you can be doing to better secure your organization. Make sure you have your bases covered with a free copy of our Open Source Cybersecurity Playbook and 2017 Cybersecurity Checklist.
Feature photo by Ej Agumbay