If you’re a system administrator, the network you look after is almost certainly way more spread out since coronavirus stay-at-home regulations kicked in.
But even if your colleagues are using their own computers now, and connecting in via their own internet connections, it’s still “your” network, and it still represents a valuable target – as a network, not just as numerous individual computers – to cybercriminals.
And one of the most dramatic all-at-once attacks that your network can suffer is, of course, ransomware.
Ransomware attacks often rely on victims making a few basic mistakes that are often quite uncomfortable to confront – it’s natural to assume you haven’t made any (or, at least, not many), and it can feel both tired and tiring to keep going through the basics.
So we decided that we’d find a fun way to help you to keep track of the common blunders that often lead to ransomware – something with rhyme and rhythym as well as reason.
Imagine that your computer were a house, and ransomware a gang of burglars, and chant along with us…
Don't lock the door and then forget And leave the windows wide. <--PROTECT YOUR SYSTEM PORTALS Don't think that keys beneath the mat Will keep the crooks outside. <--PICK PROPER PASSWORDS Don't set a guard to watch all night And write things in a book, Yet when you get their careful notes, just never take a look. <--PERUSE YOUR SYSTEM LOGS Don't buy alarms but turn them off Because they make a row. <--PAY ATTENTION TO WARNINGS And when you need to do repairs, Don't shrug, and say, "Not now." <--PATCH EARLY, PATCH OFTEN
We’ve summarised the actions you can take into 5 simple phrases, each starting with P so they’re easy to remember.
1. Protect your system portals
Crooks often sneak in by looking for remote access portals such as RDP (remote desktop protocol) and SSH (secure shell) that aren’t properly secured, perhaps because they were set up temporarily but then forgotten about.
Learn how to scan your own network from the outside and make sure that any services that are open and listening for connections are supposed to be there, and that they are on your regular security checklist.
If you don’t check your network for access holes you’ve left open by mistake, then the crooks will do it for you!
2. Pick proper passwords
When you’re in a hurry, especially if you have to rely almost exclusively on remote access these days due to coronavirus lockdown, it’s easy to take shortcuts to “get it working” and to promise yourself you’ll check all the locks and latches later.
Yet every time there’s a huge password dump due to a data breach, you will invariably find the password changeme
somewhere near the top of the list.
Clearly, lots of people start out with basic passwords with every good intention to pick a proper one soon, but then never get around to it.
Start as you plan to go on, with proper passwords from the outset, plus two-factor authentication to augment your security whenever it’s available.
3. Peruse your system logs
Many, if not most, ransomware attacks don’t happen instantly or without warning – the crooks usually take some time, often days and sometimes longer, to get a picture of your entire network first.
That’s how they make sure, when they finally pull the trigger that initiates the attacks, that they will get the destructive result they want for the ransom they plan to demand.
So there will often be numerous telltale signs in your logs, such as the appearance of “grey hat” hacking tools that you wouldn’t expect your own users to need or use; sysadmin operations such as creating new accounts that happened at unusual times; and network connections from outside that don’t follow your usual pattern.
(The Sophos Managed Threat Response team can help you here – they know not only what to look for but also where to find it.)
4. Pay attention to warnings
If you’ve set up your alerting system to shout at you all the time, you will almost certainly end up with alert fatigue, where you just click through because you’ve run out of time.
But be careful not to assume that otherwise interesting warnings can be ignored if they mention a potential threat was already blocked.
Often, threats that pop up on your network aren’t just chance events, they’re evidence that crooks are already poking around cautiously to see which actions set off what alarms, in the hope of pulling off a much bigger attack later on.
5. Patch early, patch often
Don’t leave yourself exposed to potential holes for longer than necessary.
While the crooks are scanning your network for ways to get in (see 1), they can also scan for externally accessible services that aren’t patched at the same time.
This helps the crooks automatically build lists of potential victims to come back to later – so your best result is simply not to be on their list!
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Raylund
We’re using a solution which avoiding user’s home machine to “join” to our network (e.g. using VPN connection). Although I wouldn’t say it’s not part of our network, it limited the vectors of attack.
For example. Even user’s home machine was infected, it won’t propagate via network layer to our corporate network. Even it, somehow, propagated to our office/corporate machine, our machines have better layered security measure than user’s home machine; I think you may know now how messy user’s home machine could be. Moreover, the solution supports 2FA, role based (i.e. controlling who could access which) and auditing logs.
The only issue we’ve faced was a few weeks ago, our office has power outage that I needed to go back to office and powered on some machines again (some did power up but some didn’t).
Paul Ducklin
Sounds like you’re doing the right things already, notably 2FA and logs that might give you an early warning of crooks in town… if you tell me you actually look at the logs from time to time I’ll be happier still :-)
Mark
As someone working from home, what do I need to do to scan my network from the outside and make sure that any services that are open and listening for connections are supposed to be there, and that they are on your regular security checklist? Sounds complicated, but we all need to up our game on these sorts of things.
Paul Ducklin
I actually talked about that in last week’s Naked Security Live video, which you might enjoy on Facebook (you don’t need an account to watch it):
https://www.facebook.com/SophosSecurity/videos/1110700142598583/
(I recited the above poem live on camera… just saying :-)
One answer, if you have a friend you trust, is to do it as a sort of “tag team” learning exercise, using the free open source tool NMAP. It’s a handy way to hang out and learn together during lockdown. You’ll need each other’s external IP numbers (get yours from your router if you aren’t sure) and a bit of time and patience. Start small, maybe just do a basic scan for obvious ports like SSH, telnet, HTTP and HTTPS, and see how you get along. NMAP has loads of examples and guidance on its website, including a free online book. As long as you only scan your friend’s IP number (and they scan only yours), by mutual agreement, you won’t be hammering away on anyone else’s network by mistake.
(You might want to have a look at your ISP’s terms and conditions first – but if you keep the traffic reasonable and you take care only to examine each other’s IP numbers, you won’t be going off piste or accidentally triggering alerts on someone else’s network.)
HtH
PS. Watch out for NMAP downloads that are “remixes” from download sites. Always use NMAP’s own site, which is: https://nmap.org
Bryan
Excellent point, downloading from the correct/original source. Great article yet again–thanks!
Paul Ducklin
Glad you liked it, and thanks for your kind words.
Jake
Great article Paul! I hope you can go over this in a future podcast episode. I’m going to try and apply these tips in the workplace.
Paul Ducklin
Thanks!
As mentioned in a comment above, there’s a live rendition of the poem on our Facebook page – and a 10-minute video on this very issue. You might also like some of these podcasts that are going out this week (you have to sign up with an email address right now, but then you can listen “live” or download the audio files later this week):
https://events.sophos.com/securitysosweek2020