+1-202-802-9399 (US)

Thycotic’s Cyber Security Publication

Ransomware is a major threat. Use Least Privilege, Application Whitelisting & Privilege Account Management to reduce risk

May 3rd, 2016


Ransomware has become a major threat due to its many variations and drastic impact on restricting access to systems and data, often making day to day business unavailable and shutting down access to critical systems.

Existing perimeter solutions today have failed to detect and prevent Ransomware from infecting and spreading within the organization’s networks creating mass operational disruption. Additionally, signature based anti-virus is also unable to detect and prevent ransomware due to the uniqueness and quickly-growing variants.

The  US CERT and DHHS Threat Alert  explains the nature of the threat very well and outlines several solutions available.

US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

• Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.

• Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.

• Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.

• Restrict users’ ability (permissions) to install and run unwanted software applications, and apply a Least Privilege policy to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.

• Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.

• Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.

Organizations can implement security controls that prevent untrusted or unknown applications or tool from simply being installed onto the system, while allowing the end-user to continue to be productive by using Application Whitelisting, Blacklisting, Dynamic Listing, Real-Time Privilege Elevation, and Application Reputation and Intelligence.

Users often have the ability to install and execute applications as they wish –this poses a major risk allowing Ransomware or malware to infect and propagate into the organization.

Users often have the ability to install and execute applications as they wish — no matter where or how they obtained the installation executable. This poses a major risk allowing Ransomware or malware to infect and propagate into the organization. It can also allow attackers to install remote access tools, enabling them to easily return whenever they wish. If a user with a privileged account is simply reading emails opening documents, browsing the Internet and clicking on numerous links or plugging in a USB device they can be installing malicious software. These tools can provide attackers with access and begin their attack or in a worst case scenario encrypt the system and sensitive data requesting for a financial payment in return to unlock them and unless the ransom is paid within a very short period of time typically 72 hours the key to unlock the data is destroyed making the data inaccessible forever and the only method to get back is to rebuild or restore from a backup if available and accurate.

Least privilege allows a user to safely perform their duties and in the accidental clicking of a link or opening an attachment and attempting to execute an application which requires elevated privileges for e.g. encrypting a hard drive, network share or folder this is prevented as the user privileges does not allow those actions to be performed stopping the attack immediately.  This can then be validated by application whitelisting which checks if the application or source of the application is coming from a trusted source and if it is unknown then further execution of the application can be prevented until the source or application is determined if it has disruptive behavior. 

Real-Time elevation is the ability to check if the application, environment or context of the user is safe to elevate the privileges of the application by checking various parameters including application reputation, users current privilege context and whether the system itself meets certain security controls, if these policies are not met then intervention of a security analyst can then be requested to make a decision on whether it is safe to continue allowing this application to elevate.

Privileged Account Management is an effective way to prevent the spread of ransomware throughout the environment and especially to critical systems, this ensures that when ransomware infects a system that it is unable to use the credentials exposed on that system to laterally move around to other systems on the network.

Thycotic is a security provider to over 10,000 customers including hospitals and healthcare companies which use Thycotic’s software for daily management of privileged passwords and to manage privileged escalation, a critical stage of the cyber-attack when credentials are compromised and attackers are able to move closer to sensitive data while remaining undetected.

Thycotic is a leader in privilege account management and have several solutions available to customers that have been outlined by the alert from the US-CERT and Department of Homeland Security.  These are:

1.) Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.

Thycotic’s Application Control solutions help organizations quickly deploy and enable effective Least Privilege and Application Control which includes application whitelisting but also enables blacklisting, Situational Awareness, Dynamic Listing and Real-Time Elevation of privileges by determining the applications reputation and whether a security analysts intervention is required.  Much of this is automated and when unknown application sources are detected you can automatically prevent that application from elevating, alert the security team, create an incident and analyse.

2.)  Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

3.)  Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.

Thycotic’s application access control software—Privilege Manager—determines which application requires elevated privileges making it easier for organizations to remove or reduce privileged access to only what is required. This is achieved by using the software to intervene when elevated privileges are necessary to install or run applications that require elevated privileges.

Want to learn more about reducing your risks with Least Privilege and Application Control? Download our free Healthcare Ransomware Whitepaper.

SHARE THIS


The following two tabs change content below.

Joseph Carson

Joseph Carson has over 25 years' experience in enterprise security, is the author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies", and is a cyber security professional and ethical hacker. Joseph is a cyber security advisor to several governments, critical infrastructure, financial and transportation industries, speaking at conferences globally. Joseph serves as the Chief Security Scientist at Thycotic.

Leave a Reply

*