Sibusiso Sishi, a cybersecurity specialist with IronSky, shares the playbook for keeping businesses safe against cyberthreats.

Ransomware attacks have been on the increase in 2021, and so have the pay-outs criminals are demanding from the businesses they target.

Even critical infrastructure, such as hospitals, electricity companies and water boards, have come under attack. Previously such facilities were considered “safe” as, should the infrastructure be compromised, human lives could be lost.

The most public and consequential ransomware attack in 2021 (so far) was the one against Colonial Pipeline in the US, which shut down the company’s billing and halted the pipeline’s operation on the US east coast. The criminals stole nearly 100GB of data and threatened to release this information if they were not paid 75 bitcoin (R53-million at the time of writing). The criminals eventually made off with a pay-out of millions.

Learn more at ironsky.co.za

Closer to home, Transnet had over a terabyte of personal data, financial reports and other documents ransomed, according to news reports.

Taking charge

There are easy wins that can be implemented in organisations to improve their security posture, making it harder for criminals to breach their defences.

1. Know your ICT network internally and externally
Shadow IT and legacy systems placed in production and then forgotten about are a real risk to organisations.
When employees bring their home devices onto the network or install applications without approval from the IT department, they can introduce security risks to through data leaks and compliance violations, or worse: infected devices or infected software. Shadow IT is not only devices and software on workstations but can also be cloud-based software such as Dropbox, Google Docs, Skype, e-mailing services and other third-party cloud solutions. Monitoring the network and understanding what users are bringing into the organisation or installing, and what third-party services users are utilising should be investigated and known.

Legacy systems can introduce vulnerabilities and risks to the organisation, especially if they have been forgotten by the IT team. Identifying these, and starting a process to replace them, should be prioritised. If those systems cannot be replaced, the monitoring of ingress and egress traffic to these systems should be implemented, as well as access control lists to limit which systems can interact with these legacy systems.

2. Implement a vulnerability management lifecycle
Implementing a vulnerability management lifecycle is vital for the organisation as it can assist in identifying security weaknesses before they lead to a breach. Part of the vulnerability management lifecycle is to have an updated IT asset list and to be continuously scanning for new devices on the network for vulnerabilities, misconfigurations and threats.

Another aspect of vulnerability management includes validating the urgency and impact of each vulnerability based on various risk factors and responding to the critical threats swiftly.

3. Implement multi-factor authentication on all externally facing portals
Users, willingly or unwillingly, create weak passwords for accounts, or share their credentials across multiple social media or third-party websites. The risk comes in when these third-party websites get breached, and those credentials get exposed.

These credentials can be “replayed” across the Internet to see what other systems they have access to. By implementing multi-factor authentication — either by SMS or app (more secure) — there is another layer in the defence of the organisation to stop the criminal from gaining access. It helps, too, if users create weak passwords.

4. Don’t give users local admin rights on their workstations
Local administrator rights should be removed from users’ workstations. Ransomware thrives when it has access to a workstation where the user has local administrator rights as the ransomware obtains the same rights as the user and can therefore download and install other tools.

Additionally, users who have local administrator rights may download malware and install it, as they do not know what is safe and unsafe. By removing the user as a local administrator on their workstation, companies can help keep the computer in compliance with the policy, such as what software may be installed and what shouldn’t.

According to BeyondTrust’s Microsoft vulnerabilities report for 2021, “enforcing least privilege and removing admin rights eliminated 56% of critical vulnerabilities”. Fewer vulnerabilities mean fewer opportunities for attackers to compromise your network.

5. Install Laps
The “Local Administrator Password Solution” (Laps) provides management of local account passwords for domain-joined computers. Microsoft Laps works by randomising each local administrator password of all Windows endpoints. Laps is a great mitigation tool against lateral movement and privilege escalation as each Windows endpoint has a unique local administrator password that if compromised cannot be used to gain access to other Windows endpoints. The management of these passwords is done entirely through Active Directory components.

6. Perform a compliance review on OS for workstation and server, and harden
The goal of systems hardening is to further protect your organisation by reducing vulnerabilities in your applications, systems and IT infrastructure. Compliance reviews help to ensure that your workstations and servers are aligned to best practice as set out by the vendor, and that default configurations, that may hamper the security of the workstation or server, have been disabled.

7. Ensure all service account passwords are long and complex and disable interactive logon
Often, once the service account has its password set, it is forgotten. Frequently, IT staff do not know the password (which has likely never been changed since it was set many years ago). Attackers hunt for service accounts, as their passwords may be weak and these accounts have access to critical servers. Once the credentials of the service account have been compromised, we find that the service account has interactive logon, allowing attackers to have remote desktop sessions on servers.

Ensure all service account passwords are long and complex, disable interactive logon and monitor the usage of service accounts.

Everyone has the inalienable right to own and control their data. IronSky is an advisory service made to protect that right.