December 6, 2018
The Most Basic Ransomware Defense Technique – WST
Aside from standard security practices such as antivirus software and security awareness training, one of the most effective steps you can take to protect against ransomware is very straightforward: limit what files users can access. Ransomware almost always runs with the same permissions as the infected user, so what they cannot access, the ransomware cannot encrypt.
The concept of ‘least privilege’ (allowing a user to access only what is needed for their job) is as old as information security itself, but it is not always easy to implement. Once you do, over time access control lists (ACLs) get modified – and by the very nature of things, generally get more permissive, not less. ‘Least privilege’ and ACL management is a big area, but here are some common pitfalls and recommendations:
- Regularly audit file permissions and shared folder ACLs. This can be done using automated tools, scripts, or just old-fashioned testing by logging in with different user types and seeing what you can access.
- Don’t just watch the common mapped drives. Often there are shares all over a network that are viewable by browsing the network using File Explorer. Some common issues we see are shares used by applications, backup target folders, temporary shares used for file transfers, and other network storage such as NAS devices. All can contain important information that may be improperly secured.