[ Tuesday, April 19, 2016 ]


US-CERT Ransomware Alert:  The United States Computer Emergency Readiness Team at the US Department of Homeland Security has issued an Alert about ransomware.  Best takeaways seem to be things I've been saying all along: backups (good, fresh, tested, and remote); patching; virus protection; access restriction; phishing protection (training to not click on links).  One thing I've been preaching that they don't touch: restricting internet-facing computers and reducing open ports.

I'll admit to two additional tips I haven't been harping on that are very worthwhile.  The first is application whitelisting.  This is a program where only approved applications may run on the network or on connected servers and computers.  This can prevent a lot of potential problems, not just ransomware.  When a bad program infects your system and tries to start encrypting files, the program won't be on the whitelist, so the operating system won't let it run.  Of course, we can anticipate that hackers will adapt their encryption programs to run within commonly whitelisted programs, or write them to mirror such programs so they can appear to be whitelisted, but it will certainly prevent some, and is a good response in the here and now.

The second tip, which I've seen elsewhere, is to prohibit (or at least limit) the running of macros.  You know I'm not a "1's and 0's" guy so I'm not sure how this works, but many viruses can hide in macros, so that a PDF or Word document can be the carrier of the virus.  While may people know not to click on links to unknown websites or open .zip or .exe files, many think that Word and PDF files must be harmless.  However, any file with a macro might be a virus carrier.

Finally, I could complain about how slow US-CERT is ("when seconds matter, help is only minutes away"), since we've been fighting ransomware like a wildfire for months.  But at least they have responded, and I've got to admit that I got something out of it (app whitelisting) that I'll use in the future.

Jeff [10:26 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template