We’ve all seen the seemingly endless reports about big companies getting breached. But what the news fails to report are all the small to medium-sized businesses that get hit every day.
In fact, over half of all cyberattacks target small-mid size businesses, with ransomware attacks often following six months after a security breach.
Security Vulnerabilities that Lead to Ransomware Attacks
When it comes to ransomware and cyberattacks, nearly all of them can be prevented.
How? Well, most attacks are caused by human error. Whether it is a phishing attack through email or compromised passwords.
But one of the most common vulnerabilities comes from old, on-premises software. As more and more businesses look to modernize and move to the cloud, there are several security risks to consider with on-prem equipment.
Glenn Johnson, CEO and Principal Engineer at the Vizius Group with over 30 years in technology, consulting, and executive roles, explains how this vulnerability evolves:
- Outdated or nonexistent sunset policies. Businesses often neglect to implement or update hardware or software sunset policies creating a big security risk.
– A hardware sunset policy is type of policy stipulates the maximum age for equipment and software (usually categorized by type and function). For instance, server computers used for production related activities are proactively replaced at the end of three years, network equipment at five years, etc.
– Software sunset policies ensure that your organization doesn’t become dependent on an application that has software dependencies that are difficult to re-create in the event of a failure. “We have clients that have important elements of operations dependent on obsolete, unavailable and unsupported software and have been forced to completely re-write these applications using unbudgeted dollars,” states Johnson.
- Neglected equipment/software that isn’t proactively replaced in this manner can become neglected and get forgotten as it ‘hums away’ in the closet or computer room. “In addition to accumulating risks related to failure, neglected hardware and software become more attractive targets for attackers because of missing patches and updates,” Johnson explains.
So often businesses leave these old systems running “just in case we need to access something” without realizing the inherent security risk that poses. Always best to shut it down and spin it up if needed.
Security vulnerabilities also come from ‘legacy’ authentication methods on on-premise systems that allow weak passwords, no multifactor authentication, or require ‘admin’ access for certain processes.
4 Steps to Secure On-Premise Systems
Johnson shares his four-part process for securing on-premise systems:
- Implement a sunset policy. Don’t wait until a piece of your infrastructure fails to replace it. Proactively refresh technology that is more than five years old.
- Implement a vulnerability and patch management solution. There are some great tools out there to make this a more manageable process, including Nessus for vulnerability scanning and Automox for patch management.
- Implement some proactive protection in the form of an anti-malware solution. “Your company should have a modern anti-virus product in place. By modern, I mean that it offers both signature and heuristic-based malware detection, overwatch for protected system file/directory and registry integrity, preventative controls in place for local privilege escalation attempts, centralized management and alerting (that someone looks at!), forced updates and alerts for systems that go MIA, etc.” explains Johnson.If you are a fanboy of the product nobody ever heard of, or insistent that your old Norton AV is good enough, you may want to reconsider. If it’s time to replace your old technology, Johnson’s team at Vizius has done extensive testing with Microsoft’s Defender for Endpoint and found it performed really well against their red team. “I’ve also heard good things about Crowdstrike, but haven’t used it myself,” Johnson adds.
- Enable centralized logging and event management. Your computers and network equipment are telling you what is going on with them in the form of logging, but are you listening?
These logs should be enabled and collected in a central location. Once there, someone needs to configure an appropriate level of parsing/alerting that informs the right people about the right things. “If your company has the staff and resources to do this but lacks the software, Wazuh is a solid open source solution. Many companies look for help either implementing or managing these solutions and we’d recommend you work with someone like The Vizius Group if you have questions,” Johnson explains.
When you move a system to the cloud it takes physical security and maintenance (essentially) out of the equation. Depending on the deployment model, it also takes the need for operating system maintenance away.
Generally, cloud also offers more robust authentication integration that can be leveraged cross systems.
Most people, when they hear ‘cloud’ associate it with one of two things: Software as a Service (SaaS) solutions, like Office365 and Salesforce, or Infrastructure as a Service (IaaS), like Azure and AWS.
One of the services built into Software as a Service is patch and update management. This offers a big advantage from on-premise systems.
“If you use Office365, you don’t have to worry about patching Exchange, Microsoft does that for you. You can still misconfigure things that expose yourself to attack, but it won’t be because you didn’t patch Microsoft’s Exchange server in the cloud,” explains Johnson.
However, Infrastructure as a Service allows you to use a computer that is virtualized and hosted in a data center managed by your cloud vendor. The biggest difference here is that you (essentially) don’t need to worry about physical security of the computer, or maintaining / replacing any hardware. You are, however, still responsible for patch and vulnerability management.
Cloud Security Misconceptions
Cloud computing security has become so much of a non-issue there is a US Government mandate for its agencies to accelerate their journey to the cloud.
However, it’s entirely possible to import poor cybersecurity practices to your shiny new cloud instance.
“Not enabling multi-factor authentication, choosing poor passwords, re-using passwords, sharing accounts, not protecting administrator accounts, not implementing solid access control based on need-to-know are just a few of the ways we have seen customers shoot themselves in the foot in their cloud environment,” Johnson explains.
How to Reduce Ransomware and Cyberattacks for Small-Mid Size Businesses
While ransomware and cyberattacks are getting more sophisticated and unfortunately more common, all hope is not lost. There are several options businesses have to tighten security and make big strides in preventing attacks.
According to Johnson, here are five ways a company can protect themselves:
- Proactively conduct regular phishing awareness training. The Vizius Group recommends Hook Security because it’s easy, effective and inexpensive.
- Perform regular vulnerability scanning and implement a patch management process
- Proactively replace elderly hardware and software and move to cloud services as appropriate.
- Ensure your backups are happening on a regular basis, that they are isolated and kept off-site, and that you regularly test the effectiveness of the restore capability
- Get an outside opinion on your company’s security posture. Your company probably conducts periodic financial audits. It should consider periodic security audits as well.
The Vizius Group has a 7 Step Self Assessment you can walk yourself through to independently review, measure, and assess your company’s level of preparedness to prevent and recover from ransomware. They also offer a service to perform this assessment for companies who want third party validation of their state of readiness.
Article was co-written with Glenn Johnson, CEO and Principal Engineer at the Vizius Group. With over 30 years in technology, and the last 20 in consulting and executive roles, Glenn brings a pragmatic, business focused perspective to cybersecurity. Glenn was formerly the CISO at NorthState Communications and Stalwart Systems and has held contract CISO positions for companies in the pharmaceutical, technology and manufacturing sectors. Glenn’s active certifications include CISSP, CISA, CISM, CRISC, PMP, GMON and GCIH and he graduated from LaSalle University with a masters in Information Systems.’