By Allyson Vicars, consultant with Advisory Board’s Health Care IT Advisor
Ransomware attacks are starting to feel inevitable.
According to a recent study, about 10% of colleges have experienced ransomware attacks, compared to 6% of government entities and 3.4% of health care organizations. Some research suggests there’s more where that came from: The number of ransomware attacks grew by 17.7 percent between April 2015 and March 2016, according to a 2016 study from Kaspersky Lab, and some experts believe that number will continue to increase.
Since this form of cyberattack can be particularly devastating to campus operations, it’s important to stay vigilant and take preventative actions that are within your control. As with many cultural change initiatives, user education plays a vital role, and efforts to improve security awareness and hygiene cannot be downplayed.
Improve security education efforts with infiltration pattern training
For the unfamiliar, ransomware allows outside parties to take control of your data, encrypt it, and then request a sum of money in return for the decryption key.
Staff members need to understand what an infiltration looks like and how to react to it. The most common attack vector for malware, including ransomware, is email. Attackers send out well-crafted emails with wording and logos that are increasingly difficult to distinguish as dangerous and prey upon our natural tendency to open everything. These malicious emails contain either an infected attachment or URL link (for example, a link to download a Google Document). A simple click on the ‘Enabling Macros’ button in the document is all it takes to unleash the ransomware at this point.
But don’t think you’re safe as long as you don’t open any attachments: ransomware infections can happen simply by surfing the Internet. An exploit kit, which runs on web servers and seeks out machine vulnerabilities to execute malicious code, requires no interaction with the user. They are often hidden in promoted content links on insecure websites and the hidden code tells the browser to download the ransomware.
Address the clicking
Education and security awareness training are important, but don’t become overly reliant on education for prevention. It takes just one errant click to defeat all your training efforts, so you must address the clicks that will happen regardless of the amount of security training you invest in. There are several concrete actions that colleges and universities can take that complement security education:
1. Craft a zero-tolerance security policy.
A zero-tolerance security policy that includes reprimands up to and including termination can make the ramifications of poor security hygiene very real to employees. Use caution though; if advertised too strongly or used in a heavy-handed manner, staff morale may suffer. Overall, it’s important for management to be able to use their judgement in responding to staff incidents, so establishing a policy that says staff may be disciplined up to and including termination is valuable.
2. Leverage effective email and web gateways.
Email gateways can prevent users from even having the opportunity to click or view malware by blocking or filtering emails determined to be malicious. Only emails and attachments deemed safe are passed on to the user. Web gateways, sometimes called web proxies, analyze web traffic and prevent users from visiting malicious or risky websites or domains.
To manage internet traffic, a more radical step is to employ whitelisting. Your organization could use a whitelist, like Alexa, to limit user web traffic only to sites considered safe. Often such lists are restricted to the top 10,000 sites accessed by the organization.
These filters do come with costs and there are always exceptions to the rule. For example, a public health professor researching drug use may need to access sites that would otherwise be forbidden. Be cautious and ensure that users have an easy-to-use avenue to get legitimate access restored. Consider getting email and web gateways if your organization doesn’t already use them or enhancing, replacing, or supplementing any existing email or web gateways.
3. Manage your machines a little bit differently.
While server access for some staff and faculty is imperative for job performance, it’s not imperative that these machines be used for regular email and web-surfing functions that could expose the machine and your organization to attack. Isolate or segment an internet-connected workstation that users can use for checking email and surfing the web—and keep that disconnected from the server containing student files and other sensitive documents.
Consider limiting or even restricting data from being stored directly on the workstation itself. This would, of course, require educating the end user on where to save data on servers or other cloud storage points, like Box.
Another more radical approach is application whitelisting. This functionality prevents any application not previously approved to execute on enabled machines. Even if the end user clicked an infected link, any malware would fail to execute. Most operating systems already come with some form of built-in application whitelist capabilities. Certain versions of Microsoft may call it a Software Restriction Policy and Apple calls it AppLocker. While initial set-up of this new process can be time-consuming—it would require taking an accurate inventory of all applications on user machines and fine-tuning to make sure everyone has access to the business applications they need—it is extremely effective and doesn’t require any additional purchases.
Additionally, ensure you have backups that are not drive mounted and are therefore less accessible to infiltration. Focus patching efforts on any software or hardware exposed to access from the Internet and ensure all default passwords are changed.
More resources to combat malware: IT breach preparation and response toolkit
This toolkit provides guidance on preparation and planning steps to help lay the groundwork for effective breach response. Use the advice and templates to reduce cost of breach and response, minimize risk to your institution if a breach occurs, and more. Get the tools.