Cyber Defense Best Practices
In early October of 2019, the Department of Justice issued FBI ransomware guidance. The FBI ransomware guidance is a public service announcement that contains updated information about the ransomware threat and provides recommendations for cyber defense best practices. Cyber defense best practices is discussed below.
What is Included in Latest FBI Ransomware Guidance?
The FBI ransomware guidance updates and is a companion to Ransomware PSA I-091516-PSA posted on www.ic3.gov in 2016. The guidance provides a definition of ransomware, points out trends associated with ransomware attacks, and provides cyber defense best practices.
The FBI Ransomware guidance begins with the definition of ransomware. Ransomware is a form of malware that encrypts files on a victim’s computer or server, making them unusable. Cybercriminals demand a ransom in exchange for providing a key to decrypt the victim’s files.
What Cyber Defense Best Practices Are Recommend?
Cybersecurity experts recommend that organizations develop cybersecurity best practices. These include:
- Antivirus and antimalware. Ensure antivirus and antimalware solutions are set to automatically update and that regular scans are conducted.
- Backup all data. Covered entities and business associates should regularly back up data and verify its integrity. Ensure that backups are not connected to the computers and networks they are backing up. For example, physically store them offline. Backups play a critical role in recovering from a ransomware attack. If you are infected, backups may be the best way of recovering critical data.
- Configure access controls. Ensures employees may only read and access files they need to read and access as part of their job duties.
- Develop effective password policies. Password policy best practices include (among other things):
- Setting complexity requirements (such as meeting a character minimum);
- Requiring use of certain character types (i.e., special characters, numbers, lowercase and uppercase letters);
- Preventing users from using passwords that they previously used;
- Requiring periodic password change.
- Implement a network firewall. Firewalls build a barrier between a cyberattacker and your data. To provide additional data protection, install an internal firewall in addition to an external firewall.
- Identify insider threats. Insider threats, which can come from employees or contractors, can be detected by monitoring user activities.
- Use identity and access management (IAM). IAM is a series of policies, tools, and controls, that ensure only people who are required to have access to technology resources, have that access. IAM enables organizations to record and capture user login information, and to remove access privileges.
- Known programs. Only allow systems to execute programs that are known, and that are permitted by your organization’s security policy.
- Use Multi-Factor Authentication (MFA). Implementing MFA is simple, and provides an extra layer of security for your data.
- Categorize data. Categorize data based on organizational value, and implement physical separation of networks and data for different organizational units. For example, sensitive research or business data should not reside on the same server and network segment as an organization’s email environment.
- Patch the operating system, software, and firmware on devices. All endpoints should be patched, as vulnerabilities are discovered. Endpoints include end-user devices such as mobile devices, laptops, and desktop PCs. Servers in a data center are also considered to be endpoints. A patch management strategy should be used to ensure patches are timely applied, and that patch installation does not negatively impact operations.
- Perform a software inventory. Software that is identified as open-source should be checked for integrity and credibility before it is installed.
- Implement software restriction policies. This prevents execution of programs in common ransomware locations, such as temporary folders supporting popular internet browsers.
- Train the team. Focus on awareness and training. Since end users are targeted, employees should be:
- Made aware of the threat of malware like ransomware and how it is delivered; and
- Trained on information security principles.
- Trained on insider threats. Insider threats are malicious threats to an entity that come from people within the entity. People within an entity, including employees, former employees, business associates or contractors, may have insider information about your security practice and data systems. Employees should be trained on (among other areas) the definition of an insider threat; the different types of insider threats; the impacts of insider threats to an organization; and how to identify reportable behaviors of insider threats.
- Implement application whitelisting. With whitelisting, only administrator approved programs and IP and email addresses are given system access.