Malware has been around for decades now. And as our reliance on computing systems has grown, so too has malware proliferation. While antivirus applications were once the key element in preventing infections from occurring (and subsequently spreading), malware has evolved over time in various ways, similar to how our computer usage has changed.
With the changes to malware and its behaviors, the methods of detection and protection have had to be modified to prevent infections from assorted malware types, like spyware, ransomware, and adware—and in the case of zero-days, to mitigate the impact while limiting the exposure as much as possible.
With the recent WannaCry ransomware infection affecting users on an international scale, the stakes are extremely high for those who rely on technology to protect their data at all costs. This is especially true of critical systems, such as those that provide life-saving care in hospitals, infrastructure used to manage utilities, and information systems used in government services.
The approach to data security is not a one-size-fits-all solution, as it varies based on the organization’s needs and the resources available to it. Consideration must also be given to complying with any regulations that may exist specific to your industry.
With that said, safeguards are merely that. The risk associated with malware infections is always present, as risk can’t be eliminated. But applying multiple security applications as a layered solution provides comprehensive protection on several fronts to minimize the threat of a potential outbreak in accordance with best practices.
1: Patch management for clients and servers
Keeping current with Windows Updates ensures that your clients and servers will be patched against any known threats. Vulnerabilities that exist in the form of zero-days will not be covered since that is not possible—and yet the WannaCry infection managed to infect more than 150 countries at such an alarming rate, despite a patch having been readily available almost two months prior to the attack.
With patch management playing such a crucial role in on-going system protection, there is no end to the tools available to organizations —small, medium, or large—to help ensure that their systems are current. First-party tools available from Microsoft, such as Windows Server Update Services, which is included as a service of Windows Server or Systems Center Configuration Manager (SCCM), can manage patches, from deployment to remediation with included reporting on the status of all managed devices for first- and third-party applications.
2: Security software and hardware appliance updates
As stated previously, each organization will have differing needs and resources available to best manage the network and its data. While some commonalities exist, such as firewalls and intrusion prevention systems (IPSes), these devices provide filtering of traffic at the ingress/egress of the network. Alongside firmware updates and signatures, these devices also offer manual configuration to better suit your network’s protection requirements.
Active monitoring of the health of these devices, along with updating configurations as necessary to match the network’s needs, will result in enhancing the network’s security posture and help enable the security appliance to stave off attacks.
While these devices may not necessarily be Windows-based devices, I included them here because of the real-world benefit they provide in helping to mitigate unauthorized network intrusions and to fend off attacks.
3: Hardening device security
Hardening clients and servers is imperative to limit the attack surface from internal or external attacks. The process of hardening a Windows client will differ from a Windows server, in that the aim for their use can vary drastically.
By assessing what the devices will be used for, you can determine how the device should be locked down from a security standpoint. Keep in mind that any applications, services, and connected devices that are not needed or that are deprecated (such as the SMBv1 protocol that allowed the WannaCry exploit to proliferate) should be considered a potential attack vector that may be exploited and should be disabled immediately.
Microsoft offers the Microsoft Baseline Security Analyzer (MBSA) for clients and servers alike to perform vulnerability assessments for devices and the services that run atop them. It also makes recommendations on how to harden them for the utmost security without compromising services. For newer OSes, such as Windows 10 and Windows Server 2012/2016, MBSA will still work, though it may be used in conjunction with the Windows Server Manager app to identify compliance with best practices, troubleshoot configuration errors, and identify operating baselines used to detect variations in performance, which may be an indicator of a compromised system.
4: Data backup management
Let’s face it, a computer is only as reliable as the data it works with. If said data has become compromised, corrupt, or otherwise lost its integrity—say through encryption by ransomware—it will cease to be useful or reliable.
One of the best protections against ransomware in general is a good backup system. As a matter of fact, several backup systems are better still. Since data can be backed up to several different media at once, an incremental backup to a local drive that you can transport with you, alongside a constant backup to cloud storage with versioning support, and a third backup to a network server with encryption provides ample redundancy so that if your local drive becomes compromised, you still have three possible data sets to recover from.
The Backup And Restore Utility native to Windows clients and servers provides a lightweight solution for backing up local data across multiple storage types. Meanwhile, OneDrive offers excellent cloud backup capability. Third-party software to centrally manage data backups across an organization or to/from the cloud is available from several providers as well.
5: Encryption for data at rest and in motion
Encrypting data on the whole will not prevent your computer from ransomware infections, nor will it prevent a virus from encrypting the already encrypted data should the device become infected. Be that as it may, some apps use a form of containerization to sandbox data that is encrypted, rendering it completely unreadable by any process outside the container application’s API.
This is extremely useful for data at rest since it prevents outside access unless it’s through the designated application. But it does nothing for data in motion or data that is being transferred over the network. In cases where transmission is required, the de facto standard is virtual private networking (VPN), since it creates an encrypted tunnel by which to send/receive data to/from, ensuring data is protected at all times.
6: Secured network infrastructure configurations
Unfortunately, the network is often set up and configured during the installation period of new hardware and then it’s left to operate unchecked until something fails. Networking equipment, including routers, switches, and wireless access points, require updated firmware and proper configuration, along with proactive monitoring to address trouble points before they become full-blown issues.
As part of the configuration process, an optimized network will be set up for Virtual LANs (VLANs) or segment traffic and should be managed to ensure that data gets where it needs to go in the most efficient manner possible. Another security benefit of VLANs is the ability to logically quarantine malicious traffic or infected hosts so that they can’t spread the infection to other devices or parts of the network. This enables administrators to deal with compromised hosts without risk of spreading the infection or to simply shut down the specific VLAN altogether to effectively cut off the device(s) from the internet until remediation has occurred.
7: Network, security, acceptable use, and data recovery policies
Policies are often used by larger organizations to enforce compliance with rules and regulations by their employees. However, besides being a document that dictates the rules of the workplace, policies can also serve as guidelines for end users to follow before an attack takes place and as a survival guide during and after an attack occurs.
While policies do not inherently stop malware at a technical level, if written properly they can address known issues or concerns with respect to data security and arm employees with useful information that could prevent an infection from spreading. Policies may also direct them to provide feedback to IT support to remedy a reported issue before it becomes a larger problem.
Policies should always be considered “drafts” in a sense. Technology is dynamic and ever changing, so the policies that are in effect must change too. Also, be mindful of any restrictions or regulations that may apply to your field. Depending on the industry, writing policies can get tricky and should be addressed with management (and perhaps legal) teams for accuracy and compliance.
8: Change management documentation
As with instituting policies, there is no direct correlation between documenting change management process (or recording all changes to clients/servers, including patch deployment, software upgrades and baseline analyses) and preventing ransomware outright.
However, detailing changes made to systems configurations, along with the other measures previously listed, can have a profound effect on IT’s ability to respond to threats proactively or reactively. Furthermore, it allows for adequate testing and measurement of results that any changes made to systems has on services provided and uptime availability. Lastly, it offers a record of the changes made (alongside their results), which administrators, contractors, and other support personnel can review to determine the cause of some issues or possibly address their recurrence in the future.
For a comprehensive set of documentation to be useful, you need input from various support teams—including systems and network administrators, help desk staff, and management—to create a documentation process that is effective yet simple to follow and easy to manage.
9: End-user training
Never underestimate the value of proper training for all staff, not just IT. Protecting against malware is not solely IT’s job. It’s everyone’s responsibility since it affects everyone and can be essentially brought on by anyone at the organization.
Considered a preventative measure, training that focuses on identifying possible malware attacks, such as phishing, can be an effective tool in preventing malware campaigns against your organization from compromising sensitive data.
End-user training should center not just on identifying malware attack attempts, but should also target mitigation techniques that users can take to prevent or slow down infections should they suspect their computers have been compromised. Finally, no training is complete without informing users about the organization’s expectations with respect to their responsibilities on reporting issues the instant they spot something out of the norm.
10: Risk management assessments
The aim of a risk assessment (RA) and risk management (RM) process is to identify internal and external threats (also called hazards) and the equipment and services that are affected by them, as well as to analyze their potential impact. The management portion of RA involves evaluating this data to prioritize the list of risks and identify the best plan of action in mitigating them.
RA and RM can help you pinpoint the trouble spots and implement an ongoing plan to prevent these issues from negatively affecting your organization. At the very least, RA/RM allows IT to focus its efforts on aligning the company’s resources with the devices that pose the greatest threat if compromised, such as mission-critical systems.
This process enables IT, management, and compliance/regulation entities to best determine the path forward in identifying equipment, mitigating hazards, determining the order in which to resolve threats, and evaluating the assessment itself so that procedures can be updated and corrective actions modified as risks change over time.