prevention - All Articles - CISO Platform2024-03-29T12:22:18Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/preventionTop 11 Ransomware Prevention Resourceshttps://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources2016-07-19T09:00:00.000Z2016-07-19T09:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><a href="http://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources" target="_blank"><img width="600" src="{{#staticFileLink}}8669812673,original{{/staticFileLink}}" class="align-center" alt="8669812673?profile=original" /></a></p>
<p></p>
<p>Ransomware is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. Here we have compiled some of the Good-reads blogs, articles, freely available Decryptors and removal kits to keep you up-to-date on the latest happenings in the Ransomware space.</p>
<p><br /> 1. (<strong>Free tools)</strong> <a href="http://betanews.com/2016/07/01/avg-announces-6-new-tools-to-free-your-data-from-ransomware/" target="_blank">AVG announces 6 new free decryption tools to retrieve your encrypted files</a> : AVG has come out with six new tools designed to fight this affliction. Each is for a different form of this malware. <br /> According to AVG These new free tools are for the decryption of six current Ransomware strains: Apocalypse, BadBlock, Crypt888, Legion, SZFLocker, and TeslaCrypt.</p>
<p><br /> 2. <a href="http://www.bleepingcomputer.com/forums/t/577861/locker-ransomware-author-allegedly-releases-database-of-private-keys/" target="_blank">Locker Ransomware author dumps database of private keys, apologizes</a> : Allegedly, the author of the "Locker" ransomware has uploaded a dump of the C2 server database, releasing private keys of infected hosts worldwide to the public. The "author" claims that the release was a mistake, that no further keys will be utilized for encryption, and that automatic decryption of all affected hosts will begin on June 2nd 2016</p>
<p><br /> 3. <strong>(Free tool)</strong> <a href="http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/" target="_blank">ESET releases new free decryptor for TeslaCrypt ransomware</a>: After TeslaCrypt authors announced that they are closing down their operations and made public their Universal master decryptor key, ESET created a free decryptor tool to unlock files affected by all variants between 3.0.0 and 4.2 of this Ransomware.</p>
<p><br /> 4. <a href="http://www.tripwire.com/state-of-security/latest-security-news/ransomware-removal-kit-published-online-helps-streamline-infection-response/" target="_blank">Ransomware removal kit published online, helps streamline infection response</a>: A security researcher has made a Ransomware removal kit available online with the hope that it will help security professionals and system administrators alike in responding to instances of Ransomware infection. Researcher Jada Cyrus has published the <a href="https://bitbucket.org/jadacyrus/ransomwareremovalkit/overview" target="_blank">kit on Atlassian Bitbucket</a>. The kit itself consists of removal tools for common ransomware variants, as well as <a href="http://www.theregister.co.uk/2015/05/21/ransomware_rescue_kit/" target="_blank">guides on how to perform the necessary removal tasks</a>.</p>
<p><br /> 5. <a href="https://heimdalsecurity.com/blog/what-is-ransomware-protection/" target="_blank">What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]</a>: A very comprehensive and updated guide on Ransomware. This Blogs outlines target vectors, attack anatomy, Ransomware families and much more.<br /><br /></p>
<p><span id="docs-internal-guid-929b8036-0284-c542-8284-b91fdd2e1ef1"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-siem-vendors">Checklist To Evaluate SIEM Vendors</a> )<br /><br /></span></span></p>
<p><br /> 6. <a href="https://deobfs.com/2016/06/14/behaviour-analysis-of-cerber-ransomware/" target="_blank">Behaviour analysis of CERBER ransomware</a>: The Ransomware so called CERBER has been out since early march according to TrendMicro and so far has used different techniques for delivering the payload to the victim. For instance it has been seen to use compressed JavaScript files (.zip) or in other instances using Windows Script Files (WSFs) which had XML content and then executed by Windows’ wscript.exe utility.</p>
<p><br /> 7. <a href="http://blogs.csc.com/2016/04/14/when-the-cryptolocker-strikes-reasons-for-success-of-ransomware/" target="_blank">When the cryptolocker strikes: Reasons for ransomware success and ways to prevent</a> : What factors lead to the high success of cryptolockers, a type of Ransomware that scrambles your files and asks for a ransom to recover them again?</p>
<p><br /> 8. <a href="https://virtuallysober.com/2016/07/07/catching-ransomware-infections-with-a-honeypot-script-integration-into-zerto-virtual-replication/" target="_blank">Catching Ransomware infections with a Honeypot script & integration into Zerto Virtual replication</a>: This script uses the honeypot technique to detect Ransomware infections by comparing 2 files, a honeypot file and a witness file. </p>
<p><br /> 9. <a href="https://cyberattackblog.wordpress.com/2016/07/06/zeptothe-new-threat/" target="_blank">"Zepto" the new threat</a>: Analysis and anatomy of New Ransomware known as "Zepto". The blog talks about how Zepto infects target computer and how to detect for its behaviour.</p>
<p><br /> 10. <a href="https://technologyevaneglist.wordpress.com/2016/06/27/how-to-trade-bitcoins/" target="_blank">How to trade Bitcoins</a>: Practically, all Ransomware attackers demand ransom in Bitcoins. Bitcoin are a relatively new currency which has significantly increased in value over the past few years. Bitcoins are known as a cryptocurrency and can be traded in order to earn money.</p>
<p><br /> 11. <a href="https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/" target="_blank">Ransomware thats 100% pure Javascript, no download required</a>: By the start of 2016, many crooks were steadily shifting their infection strategy as the world began to realise that enabling macros was a really bad idea. These days, a lot of ransomware arrives in JavaScript attachments and this blogs analyses and presents the challenges associated with the same.</p>
<p></p>
<p><span id="docs-internal-guid-ca67eedd-0284-04df-614b-2327f1bce3a4"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/atp-advanced-threat-protection-technology-stack">ATP( Advanced Threat Protection) Technology Stack</a> )</span></span><br /></p>
<p></p></div>Ransomware Attacks: How Prepared Are You?https://www.cisoplatform.com/profiles/blogs/ransomware-attacks-how-prepared-are-you2016-08-01T12:30:00.000Z2016-08-01T12:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>RansomWare is a type of malicious software (malware) when infected with encrypts all the important files such as documents, pictures, movie file etc with a virtually unbreakable encryption key. <a href="#_msocom_1">[RM1]</a> The RansomWare arrives via email attachments, insecure downloads, use of outdated browser's, or through Trojans such as Zeus etc. Once executed the malware usually reaches out to its Command & Control server over an internet connection to get the encryption key. The encryption is almost always asymmetric and impossible to crack. The malware is also able to encrypt locally mapped network drives/ cloud storage drives. The main motive of the attacker is to extort money from the victim in return of the private key for decryption. The attacker usually leaves a message in encrypted folders instructing users to pay ransom in Bitcoins or via Moneypak. In most of the cases even paying ransom does not work quite well for the victim as the private key fails to decrypt some of the important documents especially those in mapped drive and locally mapped cloud storage drives. There are RansomWare developed specifically for mobile platforms as well, and have affected thousands of mobile devices worldwide.</p>
<p>Some of the well known RansomWare are CryptoLocker, Cyrptowall, Teslacrypt, Torrentlocker and CTB locker. Frequently attackers release new variants of Ransomware by tweaking and subtly changing lines of codes in most popular ones to avoid detection. According to various research works, India ranks 3rd in the Asia and 9th worldwide among the countries affected by Malware attacks. The most affected being Banking and Pharmaceuticals sectors. A research team at Malwarebytes has identified LeChiffre, whose name means "encryption" in French, which caused millions of dollars of damages after infecting several banks and pharmaceuticals company. According to The Economic times, some companies have paid ransoms in millions of dollars after such attacks.</p>
<p></p>
<p>( <span id="docs-internal-guid-792e131c-4628-cba6-d4df-c8bcf51cdfdd"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/5-major-types-of-hardware-attacks-you-need-to-know"><span>5 Major Types Of Hardware Attacks You Need To Know</span></a></span> )</p>
<p></p>
<p></p>
<p></p>
<p><b>Here are some of the tips that you can put to use to prevent yourself from getting into such situations:</b></p>
<p></p>
<h2><span class="font-size-4">1. Back up your important data at regular intervals</span></h2>
<p>This is the most logical preventive measure that your organization can adopt to thwart any such attacks. Make sure that your Backup solution is up and running as it should. Keep in mind that the back-up should be kept in a separate external drive. If you are using automated backup solution then make sure that your backup drives are connected only during the backup process and are disconnected from the network once the process is complete.</p>
<h2><span class="font-size-4">2. Develop robust vulnerability management and Patch management Program</span></h2>
<p>Vulnerable applications, software's are some of the attack vectors for the attackers. Remember to keep your operating systems, browsers, plug-ins used by your browsers, java and other software's are up to date with the latest patches installed. The best way to accomplish this is by developing robust vulnerability management and patch management program, use of automated vulnerability detection tools and patch management solutions and making sure that the all the patches are installed in a timely manner can ensure you of better protection against such attacks</p>
<h2><span class="font-size-4">3. Fine tune your systems and security solutions to a more secure configuration</span></h2>
<p>Fine tuning your security solutions and systems can give you a great deal of protection against RansomWare attacks. Tweak your anti-spam solution to filter out mails with executable attachments, tweak your IPS and firewall to block any malicious traffic, disable remote access services on systems if not required, deactivate auto-play for devices, disable unused network adapters (Wi-Fi, Bluetooth etc.), Do not map network drives & cloud storage folders to your local system only if not necessary, configuresystems to show hidden file extensions, block unauthorized USB access, uninstall application that you don't use etc.</p>
<p></p>
<p>( <span id="docs-internal-guid-792e131c-462a-11fd-2121-74e6a5922b9f"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/5-reasons-to-consider-security-information-event-management"><span>5 Reasons Why You Should Consider Evaluating Security Information & Event Management (SIEM) Solution</span></a></span> )</p>
<p></p>
<p></p>
<h2><span class="font-size-4">4. Use a good Endpoint security solution to detect any malicious code</span></h2>
<p>A good advance Anti-malware software can help you identify malicious code and possible malware attacks. keep your security software up-to-date with the latest version and malware database. It is also a good idea to run windows firewall or any other host firewall software on your system to detect any unauthorized attempt to connect to internet by any malicious code.</p>
<h2><span class="font-size-4">5. Educate your employees & colleagues</span></h2>
<p>Educate your employees of the safe Internet browsing practices such as not to double click any suspicious links, not to run any suspicious program on their system and not to install any unverified browser plug-ins. Employees should also be educated about social engineered attacks, verifying mail attachments before downloading or opening it etc.</p>
<p> </p>
<p></p>
<p>References:</p>
<ul>
<li><a href="http://www.symantec.com/security_response/publications/threatreport.jsp">http://www.symantec.com/security_response/publications/threatreport.jsp</a></li>
</ul>
<p><a href="https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/">https://blog.malwarebytes.org/intelligence/2016/01/lechiffre-a-manually-run-ransomware/</a></p>
<div><div><p></p>
<p></p>
<p></p>
<p><span class="font-size-4"><a href="http://event.cisoplatform.com/quick-member-sign-up-content/" target="_blank"><img width="750" src="{{#staticFileLink}}8669803085,original{{/staticFileLink}}" class="align-center" alt="8669803085?profile=original" /></a></span></p>
<p></p>
<p></p>
</div>
</div></div>Ransomware - Practical View, Mitigation & Prevention Tipshttps://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips2017-02-16T08:00:00.000Z2017-02-16T08:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>Ransomware is a type of malware that encrypts everything on your system with a cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomware. The first type encrypts all data on the system and renders it nearly impossible to decrypt without the key. The second type simply locks the system and demands to enter the key for data decryption but does not encrypt data itself.</p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img width="744" src="{{#staticFileLink}}8669813496,original{{/staticFileLink}}" class="align-full" alt="8669813496?profile=original" /></a></p>
<p></p>
<p>One of the very well-known ransomware systems is Cryptolocker. It uses the RSA cryptosystem to encrypt data. The command and control server of malware stores the private key for the decryption of data. It typically propagates as a Trojan virus and relies mainly on social engineering for propagation.</p>
<p>The operation of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide it into the following steps: </p>
<p>1. Entering the system of the victim and installing it as a covert/silent installation. It places its keys in the system registry.</p>
<p>2. After installation, it contacts its command and control center. The server tells the ransomware what to do. It starts the communication by performing a "handshake" with the server and then exchanges keys.</p>
<p> 3. Next it actually begins to work with the key provided by the server. It then starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.</p>
<p>4. This is where it gets scary. After encrypting the data, a message appears on your screen informing you that it has locked data on your computer and threatens that if you do not pay within a specific time period, you may never see your data again.</p>
<p></p>
<p>( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/2016-the-year-of-ransomware-let-s-change-2017" target="_blank">2016-The year of Ransomware - Let's change 2017...</a>)</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>How it propagates:</strong></span></p>
<p>Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also likely the cause of infection. Ransomware also spreads through mediums like USB, portable hard drives and the like.</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Ransomware installation:</strong></span></p>
<p>Its installation is a covert operation. It uses Windows default behavior to hide extensions from the file name, disguising the real .exe extension. Once it reaches its target by using any of the above mentioned propagation methods and a user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in AppData, User Temp and Local AppData folders. Later, it adds a Windows registry key, which activates the malware every time Windows restarts. For more details to understand the differences click <a href="http://stackoverflow.com/questions/16276139/difference-between-program-data-and-appdata" target="_blank">here</a>.</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Primary Method of Operation</strong></span></p>
<p>The main method is encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg, etc. and other files whose extensions are in the malware code. It uses an AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with an asymmetric private key using an RSA algorithm and adds this to encrypted file. Now only the owner of the private key can have access to the random key it generated to encrypt the data.</p>
<p>Malware communicates with its command and control center to obtain the public key. It uses a domain generation algorithm (DGA) with common names such as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and that the failure to do so will delete the key.</p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAl-AAAAJGZkYzg1ZmEyLTlhY2EtNGI2Ni1iMzVlLWI1ZGFiMWQxYzViOQ.png?width=658" width="658" class="align-center" alt="AAEAAQAAAAAAAAl-AAAAJGZkYzg1ZmEyLTlhY2EtNGI2Ni1iMzVlLWI1ZGFiMWQxYzViOQ.png?width=658" /></a></p>
<p></p>
<p><span>The compromised system can have such symptoms as a high rate of Peer to Peer (P2P) communication, increased network communication (Communication with Command & Control center server) and high usage of system resources.</span></p>
<p><br /> ( Read More : <a href="http://www.cisoplatform.com/profiles/blogs/ransomware-attacks-how-prepared-are-you" target="_blank">Ransomware Attacks: How Prepared Are You?</a> )</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Mitigation and Prevention:</strong></span></p>
<p>So far, there is no way to break the CryptoLocker encryption and provide you the key to decrypting data. Purchasing a key seems to be the only way to get data back - unless you have a backup. However, past incidents have shown that paying did not ensure the return of data. For example, some people paid but did not receive the key; in other cases, the given key did not work. Ultimately, the best way to keep your data safe is to be proactive. So lets discuss some proactive steps to take to prevent these types of attacks from happening to you.</p>
<p></p>
<p>1. The first and foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users and stakeholders is the most important thing. Understand that we are in a war against malware. Additionally, users cannot win this fight unless they are aware of the threats. SOC/Security management teams can organize seminars, awareness campaigns, etc., to guide their employees. Periodic briefing is important. Also, explaining the cases with examples to both technical and lay employees can make it easier for them to understand and remember the scenarios they are likely to encounter in everyday life. Here are just a few ways you can keep your staff educated about these types of attacks:</p>
<ul>
<li> Avoid surfing untrusted sites (e.g. porn, gambling, freeware downloads and so on.). It is recommended to use Chrome or Firefox browsers, which are less vulnerable to attacks. Be especially cautious when using older versions of Internet Explorer. If you as a company can't afford expensive solutions, you might consider allowing your users the use of extensions like Web of Trust as an obscurity measure.</li>
<li>Do not open an email or attachment that originates from an unknown source (EXE file inside a zip archive is an obvious example). Recent events taught us that a Word document with macros can be dangerous (Locky).</li>
<li>When transferring files from mobile storage units / D.O.K., don't forget to scan the device. Consider <a href="https://support.microsoft.com/en-us/kb/967715" target="_blank">disabling auto run.</a> Doing so will help improve your endpoint security.</li>
</ul>
<p></p>
<p></p>
<p>2. Along with user awareness, implementation of security policies inside the domain via GPO and email transport rules to block such potential types of emails and .exes to execute silently. One major recommendation: Use Security Group policies in your organization to safeguard against malware. Let us walk through the process of implementing this.</p>
<p>Certain applications and programs apply software restriction policies for their execution. This utilizes Group policy. What we can do is block the executable in the specific user space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In a small business environment, or within homes or organizations with no domains, apply local security policies.</p>
<p></p>
<ul>
<li>Open a Group Policy management console on your primary DC to implement a Software restriction policy.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAiIAAAAJGJmNzQxMmQzLTRkNzMtNDYyNS1iYWJmLTVlYWFmZDk0MzIxNQ.png?width=540" width="540" class="align-center" alt="AAEAAQAAAAAAAAiIAAAAJGJmNzQxMmQzLTRkNzMtNDYyNS1iYWJmLTVlYWFmZDk0MzIxNQ.png?width=540" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Create a New GPO. Name it “Software Restriction Policy”.</li>
</ul>
<p><a href="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAP4AAAAJGU2Zjg1YTVlLTViMDctNDU5Ni1iZjA0LWVkZjdkNjI1M2Q3OA.png" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAP4AAAAJGU2Zjg1YTVlLTViMDctNDU5Ni1iZjA0LWVkZjdkNjI1M2Q3OA.png?width=687" width="687" class="align-center" alt="AAEAAQAAAAAAAAP4AAAAJGU2Zjg1YTVlLTViMDctNDU5Ni1iZjA0LWVkZjdkNjI1M2Q3OA.png?width=687" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Next, edit the newly made GPO and add user space folders in which you don’t want the software to auto execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right click on 'Additional Rules' and click ‘Add new Path rule’. Here you will create a new rule and enforce software restriction.</li>
</ul>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAfZAAAAJDQzYWY4YjcxLWQ4MDItNGUzYy1hYTI3LTc2Nzc2MTIzZDBkNQ.png?width=682" width="682" class="align-full" alt="AAEAAQAAAAAAAAfZAAAAJDQzYWY4YjcxLWQ4MDItNGUzYy1hYTI3LTc2Nzc2MTIzZDBkNQ.png?width=682" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>You will be adding file paths here. Add a path, select security level ‘Disallowed’ and add a description.</li>
</ul>
<p>The paths to be included in the policy are for Windows 7 and above.</p>
<ul>
<li>%AppData%\*.exe</li>
<li>%AppData%\*\*.exe</li>
<li>%LocalAppData%\Temp\*.zip\*.exe</li>
<li>%LocalAppData%\Temp\7z*\*.exe</li>
<li>%LocalAppData%\Temp\wz*\*.exe</li>
<li>%LocalAppData%\Temp\Rar*\*.exe</li>
</ul>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAQ2AAAAJDZiNTUzYjM3LTdiMTEtNDJiMS04ZGE1LTRlMGM5MjQ3ZDEwNQ.png?width=681" width="681" class="align-center" alt="AAEAAQAAAAAAAAQ2AAAAJDZiNTUzYjM3LTdiMTEtNDJiMS04ZGE1LTRlMGM5MjQ3ZDEwNQ.png?width=681" /></a></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAg2AAAAJDZmOTAxOTM4LTU2NTMtNDQ4NS1iYjhhLTA5Yjg1ZWE0MWQ4ZQ.png" class="align-center" alt="AAEAAQAAAAAAAAg2AAAAJDZmOTAxOTM4LTU2NTMtNDQ4NS1iYjhhLTA5Yjg1ZWE0MWQ4ZQ.png" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Allow some time to let the GP sync to all the systems or you can go to every system and open cmd as Administrator, and write ‘gpupdate /force’ to force update the group policy to the system.</li>
</ul>
<p>There can be a disadvantage to applying the software restriction policy, i.e. all the other legitimate .exes will not run in those spaces. However, you can whitelist the legitimate software in Software Restriction policies.</p>
<p>For whitelisting apps in the Software Restriction policy, exceptions have to be set for those apps. You can manually instruct Windows to allow those apps while blocking all the others. To do that, just add the same rule for particular apps as previously explained and set the security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps, and their execution to take place in the user space.</p>
<p>If you have an onsite email server or exchange, Transport rules become very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so the User is warned by the content of the email.</p>
<ul>
<li>Open Exchange Management Console on your exchange server.</li>
<li>Go to Organization Configuration > Hub Transport.</li>
<li>Open Transport Rules.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAXLAAAAJDM3ODk5NGEyLThhMzAtNGUzYy1iMmE1LTU0ZDM4ZTc1ZTRmMw.png" class="align-full" alt="AAEAAQAAAAAAAAXLAAAAJDM3ODk5NGEyLThhMzAtNGUzYy1iMmE1LTU0ZDM4ZTc1ZTRmMw.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Add a new rule by right clicking the main screen. Enter the name of the rule along with its description.</li>
</ul>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAffAAAAJGZhMzVkNDI4LTNiMTMtNDBjNC1hMzFkLTY4N2VhYmI0ODUxYw.png" class="align-center" alt="AAEAAQAAAAAAAAffAAAAJGZhMzVkNDI4LTNiMTMtNDBjNC1hMzFkLTY4N2VhYmI0ODUxYw.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Select the condition for the rule from the next window. Select the “When any attachment file name matches text patterns” option.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAaEAAAAJDdhMjFiMzlhLTQ2MTAtNDAwYi1hYjg3LTI5NGM2ODBkYzgwNA.png" class="align-center" alt="AAEAAQAAAAAAAAaEAAAAJDdhMjFiMzlhLTQ2MTAtNDAwYi1hYjg3LTI5NGM2ODBkYzgwNA.png" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Select as many extensions as you like. Here we add .exe, .html, .doc, .docx, .jpg, .jpeg, .zip, .rar, etc.</li>
<li>Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with string”. Then add “Possible Spam” as the text to be added in the subject line.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAW5AAAAJGY4NDI1NjFkLTIzNzUtNDU5Ny1hY2UyLTdmNmMwNDA4YWE2Mg.png" class="align-center" alt="AAEAAQAAAAAAAAW5AAAAJGY4NDI1NjFkLTIzNzUtNDU5Ny1hY2UyLTdmNmMwNDA4YWE2Mg.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>If there are any exceptions, add them on the next screen; otherwise, leave it as is. Complete the process by clicking Next and then Finish. The transport rule is now added and enabled, with priority set to 0.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAUqAAAAJGVjYzk2MmZlLWYzYTktNDZjMC1iNmY3LWZkMGMyMDUyMDMyNQ.png" class="align-center" alt="AAEAAQAAAAAAAAUqAAAAJGVjYzk2MmZlLWYzYTktNDZjMC1iNmY3LWZkMGMyMDUyMDMyNQ.png" /></a></p>
<p></p>
<p>Now, when the user receives emails with those specific extensions that we added in the rule, they will see Possible Spam as the subject of those emails.</p>
<p></p>
<p>3. User permissions: Review the NTFS permissions carefully every time you are dealing with permissions. For instance, Share folders from server etc. If the share folder has ‘Everyone’ write permissions and the user system gets infected then you are in trouble. Apply “Least Privilege” principle where you will give few permissions as possible to lessen the possibility of damage. Also, consider to disable users being local administrators on the endpoints by.</p>
<p></p>
<p>4. Minimize the amount of mapped shared folders on endpoints (ransomware can encrypt every accessible file, even if it is located in a shared folder).</p>
<p></p>
<p> 5. At this juncture, many antivirus software programs are able to detect and remove the virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.</p>
<p></p>
<p>( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources" target="_blank">Top 11 Ransomware Prevention Resources</a> )</p>
<p></p>
<p></p>
<p>6. Keep your systems up-to-date and patched up with the latest security patches that the manufacturer releases.</p>
<p></p>
<p>7. Enable the “System Restore” option, in order to be able to restore the system to the previous state,<strong> before</strong> the ransomware infection occurred.</p>
<p></p>
<p>8. Consider applying a software whitelisting solution (e.g. Windows AppLocker / commercial solution). Applying a good software whitelisting solution can help prevent executing malicious software components like ransomware.</p>
<p></p>
<p>9. Consider applying a 3rd party anomaly based detection solutions in order to locate malicious activity and files.</p>
<p></p>
<p>10. Update your operating system and 3rd party software on a regular basis (for example, Internet Explorer 8 which is vulnerable to browser attacks, and also Adobe and Java software components, which are known for multiple new vulnerabilities every year).</p>
<p></p>
<p>11. Do not allow Peer to Peer (P2P) communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep it safe.</p>
<p></p>
<p>12. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.</p>
<p></p>
<p>13. Consider preventing executing files with macros (e.g. Microsoft Word / Excel). This can be done via Group policy.</p>
<p></p>
<p>14. Consider restricting insertion of mobile devices, USB devices, CDs and even floppy disks to the endpoint (can be done by 3rd party solutions and also by applying group policy restrictions).</p>
<p>USB ports can be blocked on the system from any unauthorized access. Malware, once exposed to a system via USB, can spread through a LAN and affect all other systems.</p>
<p>USB storage access can be disabled on the system with a registry tweak:</p>
<ol>
<li>Go to Run and write ‘Regedit’</li>
<li>Navigate to the key: ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR’</li>
<li>Select ‘Start’ from the right pane, and change its ‘Value data’ to 3. This will disable the USB storage.</li>
</ol>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAeFAAAAJGRlYjFlYWFlLTJkYWEtNDA2NC1hODMyLWE1MTk4ZGM2ZTY1NQ.png" class="align-center" alt="AAEAAQAAAAAAAAeFAAAAJGRlYjFlYWFlLTJkYWEtNDA2NC1hODMyLWE1MTk4ZGM2ZTY1NQ.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p>15. Avoid using unknown anti-virus programs on your system, even if they claim to remove malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key. So, if any unknown anti-virus program claims that it can break encryption quickly, be wary. It is very likely an other type of malicious virus.</p>
<p></p>
<p>16. BACKUP ALL your data regularly. I have seen clients affected by ransomware and the only thing that saved them was a successful backup. Performing a backup of all your critical data to an external drive or NAS or SAN that is isolated from your system is very useful. If you are a large organization, develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can take for your organization. There are many backup solutions available in the market that can assist you in backing up your data to an external storage or remote location, i.e. cloud storage.</p>
<p>Aside from 3rd party solutions, Windows also provides backup utilities within Windows OS and Windows Server OS. Continuous backup of important files can be stored on external drives and NAS. In addition, System Restore points can be saved frequently. Windows also uses Volume Shadow Copy, which can be used to save previous versions of important and critical data. To revert to the previous version, just right click the file and go to Properties. If System Restore or Shadow Copies is enabled, the Previous Version tab will appear in Properties. This will list all the previous versions of the files. Choose the version you want to restore and click to save it to an existing location. You can also choose another location to save.</p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAdOAAAAJGYzNDA0NjFiLTEwYmYtNGI0NS1iMGY3LWUwZDU3NzkyZTdkMA.png" class="align-center" alt="AAEAAQAAAAAAAAdOAAAAJGYzNDA0NjFiLTEwYmYtNGI0NS1iMGY3LWUwZDU3NzkyZTdkMA.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p>17. Apply adequate network segmentation via firewalls, in the event of a malware's lateral movement (spreading to other endpoints and servers in the corporate network with credentials of a compromised user).</p>
<p></p>
<p>18. Implementation of IPS (intrusion prevention system) between the corporate network segments, if you have not yet done so. Consider applying IPS for outgoing communication. Update the IPS signatures database on a regular basis.</p>
<p></p>
<p>19. Web filtering – consider applying a web filtering solution that will prevent access to untrusted websites and downloaded files (e.g. .exe, .zip, .rar, .jar, .scr, etc.. If possible, use “surfing virtualization” solutions like VDI, Citrix Smart Browsing, Jetro Secure Browsing etc. This will help to minimize the possible effect on internal endpoints, because internet surfing doesn’t really happen on the internal endpoint.</p>
<p></p>
<p>20. Mail Relay solution will help filter the incoming emails. Apply rules that will prevent incoming emails with attachments like .zip, .rar, .exe, .scr, .jar, .js, .bat, .cpl, etc. Allow what's required for the ongoing work and consider restricting incoming attachments with PDF’s and MS Office macros if possible.</p>
<p></p>
<p>21. Consider applying a “Sandbox” solution that will check every incoming file that originates from the email infrastructure or is downloaded from the internet.</p>
<p></p>
<p>22. Disabling Autoplay through Group Policy or the registry. For more details click <a href="https://support.microsoft.com/en-us/kb/2328787" target="_blank">here</a>. </p>
<p></p>
<p>23. Disabling Windows Script Host - Consider enabling per necessary user groups. For more details click <a href="https://technet.microsoft.com/en-us/library/ee198684.aspx" target="_blank">here</a>. </p>
<p></p>
<p>( <span id="docs-internal-guid-6d6c1bfa-45e5-1930-e434-fa72d57be39f"><span>Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-assess-the-effectiveness-of-your-vulnerability-manag">Checklist To Assess The Effectiveness Of Your Vulnerability Management Program</a> )</span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-assess-the-effectiveness-of-your-vulnerability-manag"><span><br class="kix-line-break" /></span></a></span></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Actions to be taken in case of a ransomware infection:</strong></span></p>
<p>1. Isolate the station from the corporate network to prevent the spreading of the ransomware encryption process (e.g. pull the network cable out of the plug or isolate the station via Corporate NAC, you also can consider having separate VLAN that will be dedicated to such scenarios which can help your IR team).</p>
<p>2. After isolating the station from the network:</p>
<ul>
<li>Do a damage assessment to understand what was encrypted and check if there is any valid backup that you can restore your data from.</li>
<li>Paying the ransom is not always a good idea as the money is the “fuel” that runs these criminals and you don’t have any guarantee that your files will actually be decrypted even after paying (so basically you will have paid for nothing).</li>
</ul>
<ul>
<li>Not recommended - if you don't have "nothing to lose” and losing your files is much more expensive than paying the $400, you can do it and cross your fingers that it works.</li>
<li>It is recommended to fully format the infected station in order to eliminate any residues of malware.</li>
</ul>
<p>3. Investigate – the investigation phase is basically the aftermath analysis that will help apply countermeasures to minimize the likelihood of your corporate getting infected again (all the suggestions written above).</p>
<p></p>
<p></p>
<p><strong>Post Author :</strong> Tal Eliyahu, Lead Risk Manager, BugSec</p>
<p>This post was initially posted <a href="https://www.linkedin.com/pulse/ransomware-practical-view-mitigation-prevention-tips-tal-eliyahu" target="_blank">here</a> & has been reproduced with permission.</p>
<p></p>
<p><a href="https://goo.gl/tqykN4" target="_blank"><img src="{{#staticFileLink}}8669808686,original{{/staticFileLink}}" class="align-full" alt="8669808686?profile=original" /></a></p>
<p></p></div>Best ploy against Ransomware : A Perfect Backup Planhttps://www.cisoplatform.com/profiles/blogs/best-ploy-against-ransomware-a-perfect-backup-plan2017-02-17T08:00:00.000Z2017-02-17T08:00:00.000ZAmit Jaokarhttps://www.cisoplatform.com/members/AmitJaokar797<div><p>Last year, cybercriminals attacked the California-based Hollywood Presbyterian Medical Center, encrypting files crucial in running the hospital’s operating systems and demanding a ransome to restore them to working order. The scam worked – after 10 days of futility, the hospital surrendered and paid $17,000 to regain system control.</p><p><a href="http://www.cisoplatform.com/profiles/blogs/best-ploy-against-ransomware-a-perfect-backup-plan" target="_blank"><img width="750" src="{{#staticFileLink}}8669806685,original{{/staticFileLink}}" class="align-full" height="369" alt="8669806685?profile=original" /></a></p><p></p><p>Other hospitals, government agencies and businesses in the U.S. and abroad were targeted similarly last year, leading CNET to dub such ransomware scenarios as the hot hacking trend of 2016 And the numbers are truly staggering. Osterman Research estimates that nearly half of surveyed organizations have been hit with ransomware within the last year, and concludes that ransomware will amount to a $1 billion source of income for cyber criminals in 2016. In a recent report, Kaspersky Security states that in Q3 2016, a business was attacked by ransomware every 40 seconds, and that even after paying the ransom, one in five of them never got their data back.</p><p><span id="docs-internal-guid-6d6c1bfa-4b22-9434-ff3b-da6c4d383756"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/security-metrics-and-dashboard-for-the-ceo-board">Information Security Metrics And Dashboard For The CEO / Board</a> )</span><a href="http://www.cisoplatform.com/profiles/blogs/security-metrics-and-dashboard-for-the-ceo-board"><span><br class="kix-line-break" /></span></a></span></p><p></p><p></p><p></p><p> </p><p><span class="font-size-5"><b>Apple Users Now a Target<br /></b></span></p><p>But while many ransomware instances go unreported due to embarrassment or the desire to not be targeted again, the attacks were thought to be largely focused on the Microsoft Windows software realm, leaving Apple users relatively unscathed. But that changed in 2016 when the first public ransomware targeting Apple systems was discovered by Palo Alto Networks, which found a popular BitTorrent client for Apple’s OS X software for Macs infected with ransomware. Known as “KeRanger,” the ransomware is delivered with a ransom note demanding 1 Bitcoin, which has a current market value over $700. Fixing the problem can also be complicated and time consuming.</p><p>Antivirus software also isn’t having an impact; by the time a computer is infected with ransomware, it’s likely that the antivirus software won’t detect it until it’s too late and the damage has been done. The encryption used by modern ransomware is often too good to crack, leading most security experts to conclude that the best approach to fighting ransomware is to avoid it in the first place.</p><p><span id="docs-internal-guid-6d6c1bfa-4b24-2a9e-9034-b23d4041052b"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-siem-vendors">Checklist To Evaluate SIEM Vendors</a> )</span></span></p><p></p><p></p><p> </p><p><span class="font-size-5"><b>Different Backup Approaches</b></span></p><p>It seems the most effective way for Apple users to safeguard their computer files from these nefarious attacks is through regular backups. And, in the event you are hit with ransomware, the solution would lie in simply restoring your system to the state it was before the malware hit your computer. There are several backup and restore approaches to consider for the Apple environment:</p><ul><li><strong>Time Machine</strong> is the backup software application distributed with the Apple operating system, introduced in Mac OS X Leopard. It was designed to work with various storage drives such as Time Capsule. But for Time Machine to be effective, files must be unlocked or closed, which may not be practical for those currently in use. In addition, there is the possibility of a two-step process within OS X that requires users to reinstall the operating system before retrieving the application and files from the backup image.</li><li><strong>File System Snapshots </strong>simplify backup and recovery by taking a point-in-time virtual file system photo. But while this method can be employed to protect active operating systems, depending on files sizes, it can take significantly more time.</li><li><strong>Disk Management Solutions</strong> can create image-based copies of a disk or partition (or multiple disks and partitions) whether active or inactive, at a specific point in time far more quickly. Such robust offerings have the advantage of being able to make consistent sector-level backups (also often referred to as Snapshots) even if data is being currently modified.</li></ul><p> </p><p>Thus, while there are different backup approaches to consider, the bottom line is that a regular, proactive backup strategy – potentially even a multi-pronged approach – is your best defense against crippling ransomware attacks. And while Apple users were once immune from such attacks, they too now need to join the rest of the computer world in being vigilant in protecting themselves. After all, like many things in life, when it comes to avoiding being held hostage by cybercriminals, an ounce of prevention is worth a pound of cure.</p><p></p><p></p><p></p><p><a href="http://www.cisoplatform.com/profiles/blogs/nominations-open-top-100-ciso-awards-2017" target="_blank"><img width="684" src="{{#staticFileLink}}8669810872,original{{/staticFileLink}}" class="align-center" alt="8669810872?profile=original" /></a></p><p> </p></div>Ransomware: Detection when prevention has failed.https://www.cisoplatform.com/profiles/blogs/ransomware-detection-when-prevention-has-failed2017-03-08T07:30:00.000Z2017-03-08T07:30:00.000ZMeghana Phttps://www.cisoplatform.com/members/MeghanaP<div><h3><span class="font-size-5"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAfgAAAAJDQxZTdkMjVlLWM3MGYtNDdkYi04MGY3LTc1YTRhNWEzOTAyYw.jpg" class="align-full" width="716" height="385" alt="AAEAAQAAAAAAAAfgAAAAJDQxZTdkMjVlLWM3MGYtNDdkYi04MGY3LTc1YTRhNWEzOTAyYw.jpg" /></span></h3><h3><span class="font-size-5">The scary truth</span></h3><p><span class="font-size-3">It's one of the biggest fears for an IT department. You have anti-malware agents on your desktops, you have scanning engines for incoming email, you have IPS/IDS systems, and you have even locke</span></p><p><span class="font-size-3">d the permissions down on your file shares, but someone manages to get a ransomware infection on their workstation. You get a call and spend the next 40 hours testing how well your backup strategy works. In the worst case scenario, you are ransomed into paying thousands to bad actors.</span></p><p><span class="font-size-3">Recently eWeek.com posted an <a href="http://www.eweek.com/security/ibm-finds-most-businesses-pay-ransomware-demands.html" target="_blank">article</a> on the percentage of companies that have paid attackers to recover their data after a ransomware attack. The findings are pretty scary. The article states:</span></p><p><span class="font-size-3"><em>"The 23-page IBM Security </em><a href="http://ibm.biz/RansomwareReport" target="_blank"><em>study</em></a><em> surveyed 600 business leaders and 1,021 consumers in the U.S. 46 percent of business respondents reported that they had experienced ransomware in their organizations. Of the 46 percent that have been impacted by ransomware, 70 percent admitted that their organization paid the ransom."</em></span></p><p><span class="font-size-3">This is a troubling statistic. It shows that many companies are still not taking this threat seriously. The fact that so many people have paid this ransom points to holes in their data security plan. For these companies, it is vitally important they refocus on the basics. Ensuring better network security, writing better security policies, and improving backup and archiving strategies are a good start. There are many tools and partners out there who can help implement technology and develop strategies to prevent these attacks and ensure businesses can recover from them without paying a ransom.</span></p><p></p><p></p><h3><span class="font-size-5">They still got in</span></h3><p><span class="font-size-3">Even with the best technology and consistent end user training, attacks make their way onto the network. A new method of delivery is created, a user gets tricked, or even an exploit in a required piece of technology is leveraged. IT technicians then find themselves dealing with a ransomware attack. Many IT departments don't realize that the attack is happening until a user contacts them about their inability to access a file or a message on their screen. Once this has occurred it's often too late to do anything but restore everything. What many companies are missing is a strategy for detecting the attack quickly and limiting it's scope. So what can be done?</span></p><p><span class="font-size-3">There are several ways to deal with this scenario:</span></p><ul><li><span class="font-size-3">Monitor for multiple file renames as a method of detection.</span></li><li><span class="font-size-3">Create a large sacrificial share full of small files to slow down the infection.</span></li><li><span class="font-size-3">Implement app-locker policies to try to limit attack vectors.</span></li><li><span class="font-size-3">Look for processes that read/write too quickly or change the entropy of files.</span></li><li><span class="font-size-3">Monitor for known ransomware extensions.</span></li></ul><p><span class="font-size-3">The focus of the remainder of this article will be on the last option. Monitoring for known ransomware extensions is simple to implement and effective. It can be accomplished with tools Microsoft provides right out of the gate. It's fast to detect and can be optimized to automate remediation tasks.</span></p><p></p><p></p><h3><span class="font-size-5">Using File Server Resource Manager to detect ransomeware</span></h3><p><span class="font-size-3">File Server Resource Manager (FSRM) is a role provided by Microsoft Windows servers that allows administrators to understand, control, and manage the type and quantity of data that is stored on servers. It can be used for quota enforcement, file screening, reporting, data classification, and file management tasks. For the purposes of this article, the focus will be on file screening.</span></p><p><span class="font-size-3">The process is fairly simple, and consists of the following steps:</span></p><ol><li><span class="font-size-3">Install the FSRM role on a Windows server.</span></li><li><span class="font-size-3">Configure basic options for FSRM.</span></li><li><span class="font-size-3">Create file groups.</span></li><li><span class="font-size-3">Create a file screen template.</span></li><li><span class="font-size-3">Create a file screen.</span></li></ol><p><span class="font-size-3">Once this has been completed, the system will automatically notify IT when it detects one of the configured extensions. This process can be taken further by automating the updating of file groups as well as taking an automated remediation step. There is, however, one strong weakness with this approach. This will not stop attacks that use randomized file extensions, or use extensions that are not listed in the file group.</span></p><p></p><p></p><h3><span class="font-size-5">Install FSRM role</span></h3><p><span class="font-size-3">Installing a Windows role should be within the abilities of an IT professional. Needless to say it can be found under File and Storage Services > File and iSCSI Services > File Server Resource Manager. Once this is done, FSRM can be opened by running the program called "File Server Resource Manager".</span></p><p></p><p></p><h3><span class="font-size-5">Configure basic options for FSRM</span></h3><p><span class="font-size-3">Before FSRM can be useful, some configuration needs to be done. The SMTP server setting, notification limits, and the default administrator email account all need to be configured. These settings can be found by right clicking on on File Server Resource Manager (local) in the FSRM console.</span></p><p></p><p></p><h3><span class="font-size-5">Create file groups</span></h3><div class="slate-resizable-image-embed slate-image-embed__resize-right"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAiwAAAAJGJlZjY1Yzk5LTUzZmEtNDRkOS05NmVlLTVmMzdhMzQ0ZGVjYg.png" alt="AAEAAQAAAAAAAAiwAAAAJGJlZjY1Yzk5LTUzZmEtNDRkOS05NmVlLTVmMzdhMzQ0ZGVjYg.png" /></div><p></p><p><span class="font-size-3">A file group is a list of files or extensions in which a technician would like to take action. In this case, a list of all known ransomware extensions needs to be created. To do this, expand "File Screening Management" in FSRM and right click on "File Groups" and select "Create File Group". Next, create a name for the file group and add at least one extension to include so the file group can be saved.</span></p><p><span class="font-size-3">To automate this file group and keep it up to date, a script is required. <a href="http://fsrm.experiant.ca/" target="_blank">https://fsrm.experiant.ca/</a> maintains a very up to date list as well as their own options for configuring FSRM. A scheduled task should be created to run the following PowerShell script:</span></p><pre><span class="font-size-3">set-FsrmFileGroup -name "Anti-Ransomware File Group" -IncludePattern <br />@((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/<br />combined" -UseBasicParsing).content | convertfrom-json | % {$_.filters})<br /><br /><br /><br /></span></pre><p></p><h3><span class="font-size-5">Create a File Screen Template</span></h3><div class="slate-resizable-image-embed slate-image-embed__resize-right"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAi0AAAAJDZkM2RjZTk1LWRiMTEtNDFkMC05ZmFmLTNjZjUzYjMyY2VlMg.png" alt="AAEAAQAAAAAAAAi0AAAAJDZkM2RjZTk1LWRiMTEtNDFkMC05ZmFmLTNjZjUzYjMyY2VlMg.png" /></div><p></p><p><span class="font-size-3">The next step is to build a template that uses this list. The process is similar to the file group. After expanding "File Screening Management" inside FSRM, right click on "File Screen Templates" and click "Create File Screen Template. Give the template a name and check the Anti-Ransomware file group created previously. There are now a few options to consider.</span></p><p></p><p></p><p></p><p><span class="font-size-4"><strong>Active vs Passive Screening</strong> </span><span style="font-size:12pt;">- Active Screen prevents files with these extensions from being created. Passive simply takes an action when the file is created. It is recommended to use passive screening. If active screening is used, any files that are encrypted will not be renamed and will make finding these files for restore difficult.</span></p><p></p><p><strong><span class="font-size-4">Email Message</span></strong><span class="font-size-3"> - Allows an email to be sent out if these extensions are discovered or created on screened file shares. It is highly recommended to configure this tab.</span></p><p></p><p><strong><span class="font-size-4">Event log </span></strong><span class="font-size-3">- Configures an event log item to be created if these extensions are discovered or created on screened file shares. This is also recommended. This will be used later to automate remediation attempts.</span></p><div class="slate-resizable-image-embed slate-image-embed__resize-right"><img src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAgfAAAAJGRhYWVjZDAzLWJiNjYtNGJiYS05MWI3LTBmNzg1ZGMyNmFlMA.png" alt="AAEAAQAAAAAAAAgfAAAAJGRhYWVjZDAzLWJiNjYtNGJiYS05MWI3LTBmNzg1ZGMyNmFlMA.png" /></div><p></p><p></p><p></p><p><strong><span class="font-size-4">Command</span></strong> - <span class="font-size-3">Allows execution of a script in response to detection. One potential option is to use this tab to run a PowerShell script to disable the share for the user who is infected. This prevents any further attacks. It could also be used to execute a script to turn off the file sharing service completely. Ensure the settings look like the screenshot to the right. The command arguments Should point to a PowerShell script. The script that follows is a slightly modified version of the script found at <a href="http://fsrm.experiant.ca/" target="_blank">https://fsrm.experiant.ca/. </a>It reads as follows:</span></p><pre><span class="font-size-3">#One second delay to give script enough time to grab newest event logs<br /></span></pre><pre><span class="font-size-3">sleep -Seconds 1</span></pre><pre><span class="font-size-3">#Looks in event log for the custom event message generated by the file <br />screen audit. Input's username of the offender into a variable.</span></pre><pre><span class="font-size-3">$RansomwareEvents = get-eventlog -logname <br />Application -message "*ransomware*" -newest 50 | where {$_.eventid -eq 8215}</span></pre><pre><span class="font-size-3">$username = ($RansomwareEvents.message).split()[1]</span></pre><pre><span class="font-size-3">$username = $username -replace ".*\\"</span><br /><span class="font-size-3">#Blocks SMB share access for user</span></pre><pre><span class="font-size-3">Get-SmbShare -Special $false | Where-Object currentusers -gt 0 | <br />Block-SmbShareAccess -AccountName $username -force</span></pre><pre><span class="font-size-3">restart-service "File Server Resource Manager" -force</span><br /><br /><br /><span class="font-size-3">This command gets all shares on the server and for each share configures <br />share permissions to block the user account that is infected with the ransomware. <br />Once the infection has been removed, access can be restored for that user by removing <br />the share permission that blocks their access. This can be done with this script:</span><br /><br /></pre><pre><span class="font-size-3">Get-SmbShare -Special $false | Unblock-SmbShareAccess -AccountName <br />"username@domain.tld" –Force </span><br /><br /><span class="font-size-3">Another option would be to disable the share service entirely like so:</span></pre><pre><span class="font-size-3">stop-service lanmanserver -force</span><br /><br /><span class="font-size-3">It is important to note that changes to the execution policy for PowerShell to <br />allow local scripts may be required.</span> </pre><pre><br /></pre><h3><strong><span class="font-size-4">Create File Screens</span></strong></h3><p><span class="font-size-3">Now that the file screen template is created, the last step is to implement these templates by creating file screens. File screens are created on a share by share basis. This process is very simple. Right click on "File Screens" and select the path to screen (the path to the share). Next, under the second that says "Derive properties from file screen template" select the template you created and click OK. It is now possible to edit the properties of this file screen if customization is required.</span></p><h3><strong><span class="font-size-5">Conclusion</span></strong></h3><p><span class="font-size-3">There are many tools and techniques to deal with preventing, re-mediating, and detecting ransomware. Hopefully this overview of File Server Resource Monitor has exposed creative ways of detecting and reducing the impact of modern malware.</span></p><p></p><p></p><p></p><p><span class="font-size-3"><strong>Post Author :</strong> Don Magee, Senior Cloud Engineer, Trek,Inc.</span></p><p><span class="font-size-3"><span>This post was initially posted <a href="https://www.linkedin.com/pulse/ransomware-detection-when-prevention-has-failed-don-magee?trkInfo=VSRPsearchId%3A3898440781485940921363%2CVSRPtargetId%3A6215217218892947456%2CVSRPcmpt%3Aprimary&trk=vsrp_influencer_content_res_name" target="_blank">here</a> <span>& has been reproduced with permission.</span></span></span></p><p></p><p><span class="font-size-3"><span><a href="https://goo.gl/tqykN4" target="_blank"><img src="{{#staticFileLink}}8669808686,original{{/staticFileLink}}" class="align-full" alt="8669808686?profile=original" /></a></span></span></p></div>Top 10 must-read blogs for CISOs on Data Loss Prevention solutionhttps://www.cisoplatform.com/profiles/blogs/top-10-must-read-blogs-for-cisos-on-data-loss-prevention-solution2019-11-28T12:00:00.000Z2019-11-28T12:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p></p>
<p><span>Here is the list of my top 10 blogs on DLP solution, which you should go through if you are in-charge of creating, implementing and managing DLP program in your organisation.</span></p>
<p> </p>
<h3><strong>1. <a href="https://www.linkedin.com/pulse/business-case-data-loss-prevention-shashidhar-cn-cisa-crisc-mba">A business case for Data loss prevention</a>:</strong></h3>
<p><span>A good small write up giving out some of the tips for building a business case for DLP in terms of some of the immediate benefits that it brings to the organisation, such as data security and compliance obligations.</span></p>
<p> </p>
<h3>2. <a href="http://www.tomsitpro.com/articles/data-loss-prevention-dlp-business-case,2-986.html">Building a business case for DLP tools</a>:</h3>
<p><span>A comprehensive article and guide to help you build a business case for DLP solution.</span></p>
<p> </p>
<h3>3. <a href="https://digitalguardian.com/blog/positioning-dlp-executive-buy">Positioning DLP for executive buy-in</a>:</h3>
<p><span>A blog from Digital Guardian, one of the leading vendors in DLP market, talks about how to build allies and properly position DLP to decision makers. This Blog is a part of more comprehensive guide ” The definitive guide to DLP”</span></p>
<p><span> </span></p>
<h3>4. <a href="http://searchsecurity.techtarget.com/feature/Tips-for-creating-a-data-classification-policy">Tips for creating a data Classification policy</a>:</h3>
<p><span>A good data classification policy is perhaps the most important pre-requisites for a successful DLP program in any organisation. This Blog from TechTarget gives out some of the tips for a workable data classification policy.</span></p>
<p> </p>
<h3>5. <a href="http://www.isaca.org/Journal/archives/2014/Volume-1/Pages/Key-Considerations-in-Protecting-Sensitive-Data-Leakage-Using-Data-Loss-Prevention-Tools.aspx?utm_referrer=">Key considerations in protecting sensitive data leakage using DLP tools</a>:</h3>
<p><span>This article from ISACA highlights 10 key considerations that could help organisations plan, implement, enforce and manage DLP solutions. This article also gives a good overview of DLP solution in general</span></p>
<p> </p>
<div><span style="font-size:14pt;"><strong><a href="https://www.cisoplatform.com/profiles/blogs/data-leakage-protection-dlp-via-email-gateway-and-regulated" target="_blank">READ MORE >> Data Leakage Protection (DLP) via email gateway and Regulated Internet access</a></strong></span></div>
<h3>6. <a href="http://www.cisoplatform.com/profiles/blogs/5-tips-evaluate-readiness-implementing-data-loss-prevention-dlp?__hstc=14264616.a52595292bb4f606352113db42a1f28f.1574935601385.1574935601385.1574935601385.1&__hssc=14264616.29.1574935601386&__hsfp=4050479647">5 tips to evaluate your readiness before implementing DLP solution</a>:</h3>
<p><span>This Blog from CISO platform lists out the five questions to ask yourself to assess your organisational readiness for implementing DLP solution. You should take care of these 5 things before you go ahead with your DLP project.</span></p>
<h3><span> </span></h3>
<h3>7. <a href="http://www.csoonline.com/article/2134517/it-strategy/strategic-planning-erm-7-strategies-for-a-successful-dlp-strategy.html?nsdr=true">7 Strategies for a successful DLP deployment</a>:</h3>
<p><span>This blog from CSOonline lists out a set of strategies to help you see through a successful DLP implementation. Though it’s obvious people often miss out on these.</span></p>
<p> </p>
<h3>8. <a href="https://digitalguardian.com/blog/how-evaluate-dlp-solutions-6-steps-follow-and-10-questions-ask">How to evaluate DLP solutions: 6 steps to follow and 10 questions to ask</a>:</h3>
<p><span>Choosing the right DLP solution for your company can be overwhelming; in order to make an educated buying decision, each vendor must be properly evaluated for its strengths and weaknesses.</span></p>
<p> </p>
<h3>9. <a href="http://www.cisoplatform.com/profiles/blogs/top-6-reasons-why-datalossprevention-implementation-fails?__hstc=14264616.a52595292bb4f606352113db42a1f28f.1574935601385.1574935601385.1574935601385.1&__hssc=14264616.29.1574935601386&__hsfp=4050479647">Top 6 reasons why DLP implementations fail</a>:</h3>
<p><span>Another blog from CISO Platform lists out some of the top reasons why a DLP implementation may fail or may not achieve the stated company objectives.</span></p>
<p> </p>
<h3>10. <a href="https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data">An Expert Guide to Securing Sensitive Data: 34 Experts Reveal the Biggest Mistakes Companies Make with Data Security</a>:</h3>
<p><span>Digital guarding has some of the good resources on DLPsolution. This blog elicits insights from some of the data security experts on top mistakes one can make while approaching a data security problem in organisations.</span></p></div>An Approach for DLP Implementationhttps://www.cisoplatform.com/profiles/blogs/an-approach-for-dlp-implementation2019-11-29T08:30:00.000Z2019-11-29T08:30:00.000ZDenisehttps://www.cisoplatform.com/members/Denise<div><p> </p><p> </p><p><span><strong>Myth: – DLP is for IT and it is an IT Project | </strong><strong>Truth: – DLP is for Business and it is a Business Project</strong></span></p><p><span>DLP Solution is implemented by IT for the business with the close association of various business departments; DLP implementation requires strong upper management commitment and support, in-depth involvement of middle management, IT operation and business/data owners of various departments.</span></p><p><span><br /> DLP implementation project is destined to be failed if it is considered merely as IT project.</span></p><h3><span><strong><br /> Let’s understand the objective of the DLP</strong></span></h3><ul><li><span>Discover the sensitive, confidential or restricted information across the enterprise network, Servers, Machines, Databases etc</span></li><li><span>Monitor and control the flow of such information across the network</span></li><li><span>Monitor and control such information on the end user systems</span></li></ul><p><span>In short, the prime objective of DLP is to monitor and control the sensitive<strong>/confidential/restricted information</strong><span class="Apple-converted-space"> </span>whether it is at rest, in use or in transit</span></p><p> </p><h3><span><strong>DLP benefits to Business</strong></span></h3><ul><li><span>Protection of sensitive business information and IP</span></li><li><span>Improve compliance</span></li><li><span>Reduce data leakage breach risk</span></li><li><span>User Awareness for information security and handling sensitive information</span></li></ul><p> </p><p><span><strong>There are 3 states of information that any DLP should handle: Data in Rest, Data in Motion and Data in Use.</strong></span></p><h3><span><strong>Data in Rest: –</strong><span class="Apple-converted-space"> </span></span></h3><p><span>DLP must have the capability to discover various file types like spreadsheet, word and pdf documents etc whether they are present on end user machines, file server, databases, SAN or NAS storage etc. Once found such file types, DLP must be able to open the files and scan the contents to determine the specific type of information as per decided policy like credit card numbers, PAN card no or bank accounts, customer details or specific information. To accomplish this, DLP uses crawler application which crawls through various data stores in the network, machines, databases etc to discover the set of information and develop fingerprints</span></p><p><span><strong>Discovering the locations and collecting the specific set of information is very critical and important to determine whether its location is permitted to store that specific information set as per business guidelines and policies</strong></span></p><p> </p><h3><span><strong>Data in Move: –<span class="Apple-converted-space"> </span></strong></span></h3><p><span>To monitor information movement in the network, DLP use network analyzer and sensors that capture and analysis network traffic. DLP must have Deep Packet Inspection capability (DPI). It allows DLP to inspect the data in transit and determine contents, source and destination. If sensitive information is detected flowing to an unauthorized destination, DLP has the capability to alert the user and manager and IT and block the data flow</span></p><h3><span> </span></h3><h3><span><strong>Data in Use (end point):</strong><span class="Apple-converted-space"> </span>–</span></h3><p><span>Data in Use refer monitoring data movement on the end user that they perform on their machines whether data is being copied on thumb drive, sending information to the printer, or cut and paste activities in between applications.</span></p><p> </p><h3><span><strong>Approach</strong></span></h3><p><span>Implementing DLP solution is complex task and requires significant preparatory activities like policies development, directory service integration, work flow management, incident handling, business process analysis, assessment of various type of information that org uses, detailed inventories of the assets carries sensitive information, data flow analysis, data classification and these activities require the deep involvement of the various business dept, data owners, stakeholders and IT dept.</span></p><p><span>(Read more: <b><a href="http://www.cisoplatform.com/profiles/blogs/how-to-write-a-thought-leadership-article-in-30-mins?__hstc=14264616.32b692c452cf977e76916601185bc2d5.1574326365088.1574954957601.1575010238877.5&__hssc=14264616.28.1575010238877&__hsfp=2230078507">How to write a great article in less than 30 mins</a>)</b></span></p><h3><span> </span></h3><h3><span><strong>DLP strategy</strong></span></h3><ol><li><h3><span><strong>Get the Management support for the Solution: –</strong></span></h3><p><span><span class="Apple-converted-space"> </span>Justify the requirement of the DLP solution in the organization with the facts, trends, and POC results</span></p></li><li><h3><span><strong>Proper planning and strategy are vital for successful DLP implementation</strong></span></h3></li></ol><ul><li><span><strong>Involvement of business owners & stakeholders: –<span class="Apple-converted-space"> </span></strong>correct business people from various departments who understand what information should be restricted and why should be involved in the DLP project.</span></li><li><span><strong>Data Flow Analysis: –<span class="Apple-converted-space"> </span></strong>understanding the flow of information between various business processes and department inside and outside are very imperative. Output of DFA will be played very important role while designing policies for the DLP</span></li></ul><ul><li><span><strong>Data Classification:</strong><span class="Apple-converted-space"> </span>– Here the involvement of business users is very critical. Business owner, business stakeholders are the key people who know the criticality and sensitivity of the organization information and can provide key information that what information is critical for them and organization and where located and who should access that information. Based on the severity level, data is classified and controls are selected.</span></li><li><span><strong>Data Discovery:</strong> – once data is classified and segregated based on sensitivity and criticality, DLP discovery engine that uses crawls agents gets deeper into various data stores across the enterprise network to identify and log the sensitive information and their locations and develop fingerprints for further usages in policy</span></li></ul><p><span><strong>Note:</strong> – Quite often enterprises are unaware about all type of information they posse and have limited clue about the locations of sensitive and critical information. So it is very imperative to identify all type of sensitive information and their locations and classify them based on their sensitivity.</span></p><p> </p><ul><li><span><strong>Defining DLP Policies with Business workflow: –</strong><span class="Apple-converted-space"> </span>once the sensitive information has been identified, next step is to develop policies to protect the identified sensitive information. Each policy consists of few rules that dictate the flow of the information and determine that how the information will be handled by DLP mechanism. Mind it policies will only be developed at this stage not enforced</span></li><li><span>Understanding information flow is critical component of policy formation.</span></li><li><span>What should be source and destination of the identified data?</span></li><li><span>What are the egress points in the network through which information flows out the org</span></li><li><span>What processes are there to govern of the information flow?</span></li></ul><p><span><strong>DLP rules operates on Content and Context awareness hence Understanding What, Who, Where & How are very important for DLP Security Policies</strong></span></p><table><tbody><tr><td><span><strong>What</strong></span></td><td><span><strong>Who</strong></span></td><td><span><strong>Where</strong></span></td><td><span><strong>How</strong></span></td><td><span><strong>Action</strong></span></td></tr><tr><td><span><strong>Financial statement</strong></span></td><td><span>Finance Dept</span></td><td><span>Personal Email</span></td><td><span>Mail Service</span></td><td><span>Block, Notify, Audit</span></td></tr><tr><td><span><strong>Financial statement</strong></span></td><td><span>Finance Dept</span></td><td><span>Tax consultant</span></td><td><span>Mail Service</span></td><td><span>Allow, Notify, Audit</span></td></tr><tr><td><span><strong>Salary Statements</strong></span></td><td><span>HR Dept</span></td><td><span>USB</span></td><td><span>Memory Stick</span></td><td><span>Block, Notify, Audit</span></td></tr></tbody></table><p><span style="font-size:14pt;"><strong><a href="https://www.cisoplatform.com/profiles/blogs/top-10-must-read-blogs-for-cisos-on-data-loss-prevention-solution" target="_blank">READ MORE >> Top 10 must-read blogs for CISOs on Data Loss Prevention solution</a></strong></span></p><p> </p><ul><li><span><strong>Incident Management: –<span class="Apple-converted-space"> </span></strong>DLP is useless if it does not report the incident, it must report violation whenever occurs. IT dept, compliance dept or any other authorized individual must receive the incident notification. Once the manager review and assess the report, further course of action may be taken. If an incident is false positive then the policies should be fine tuned to bring the false positive scale minimally. If an incident is truly positive, appropriate action must be taken .i.e. DLP policy should be redefined. DLP policy management must be agile and flexible enough and they must accommodate rapidly changing security needs.</span></li><li><span><strong>DLP must be tuned for low false positive (DLP detect non-sensitive information in an incident)</strong></span></li><li><span><strong>DLP must be tuned for high true positive (DLP detect sensitive information in an incident)</strong></span></li><li><span><strong>DLP must be tuned for low false negative (DLP not detecting sensitive information in an incident)</strong></span></li></ul><ul><li><span><strong>Go Slow: –<span class="Apple-converted-space"> </span></strong>start monitoring two or three departments and get the incident management and workflow in place. Starting with all department will overwhelm the DLP incident management will tons of false positive.</span></li></ul><ul><li><span><strong>Monitoring & Period review of DLP policies:</strong><span class="Apple-converted-space"> </span>– A Period review of policies, rule, and logs is quite critical to identify the false positive/negative.</span></li></ul><p>Read More:- <a href="http://www.cisoplatform.com/profiles/blogs/7-tips-to-dlp-implementation?__hstc=14264616.32b692c452cf977e76916601185bc2d5.1574326365088.1574954957601.1575010238877.5&__hssc=14264616.28.1575010238877&__hsfp=2230078507" target="_blank">7 Tips For DLP Implementation</a></p><h3><span><strong>Associated Operation risk of DLP Implementation</strong></span></h3><p><span>High Volume of False Positive may cause productivity loss, hence plan and systematic approach is very much needed. Black Box and using readymade templates approach should be avoided.</span></p><p><span>Involve valid business users from all department from the initial stage itself. Business users are the right person to take a quick decision on false positive and IT can tune the rules and policies accordingly.</span></p><p><span>Proper placement of DLP components is very critical, else you will certainly miss coverage for the important data stream. An updated Network diagram must be available to DLP team to understand the flow of information in the network.</span></p><p><span>Tight integration between DLP and directory service (AD or LDAP) is essential, else it will be difficult to trace user in case of violation.</span></p><p> </p><p><span>This is a re-post of the blog originally published on CISO Platform</span></p><p><span>Link to original blog:<a href="http://www.cisoplatform.com/profiles/blogs/dlp-an-approach?__hstc=14264616.32b692c452cf977e76916601185bc2d5.1574326365088.1574954957601.1575010238877.5&__hssc=14264616.28.1575010238877&__hsfp=2230078507"> http://www.cisoplatform.com/profiles/blogs/dlp-an-approach</a></span></p></div>5 Tips To Evaluate Your Readiness Before Implementing Data Loss Prevention (DLP) Solutionhttps://www.cisoplatform.com/profiles/blogs/5-tips-to-evaluate-your-readiness-before-implementing-data-loss2019-11-29T08:30:00.000Z2019-11-29T08:30:00.000ZDenisehttps://www.cisoplatform.com/members/Denise<div><p><span><span class="font-size-4">Here are some Tips To Evaluate Your Readiness Before Implementing Data Loss Prevention (DLP) Solution:</span></span></p><p> </p><ul><li><h3><span><b>Your organization have developed appropriate policy to govern the use of Data Loss Prevention (DLP) solution<br /></b></span></h3><p><span>To draw true value from any DLP deployment an organization must first come up with a Data Loss Prevention specific policy to start with. The policy should clearly talk about the goals and objectives of Data Loss Prevention (DLP) deployment, identify and allocate resources for it and talk about the roles and responsibilities of stakeholders for effective governance of the same</span></p></li></ul><p> </p><ul><li><h3><span><b>You can define the data to be protected in your Data Loss Prevention (DLP) Solution<br /></b></span></h3><p><span>It is very important to know what is to be protected. You have to be very meticulous in defining what constitute sensitive data. You can look at the regulatory requirement that your organization must comply with or/and refer to the various Industry standards to find out.</span></p></li></ul><p> </p><ul><li><h3><span><b>You have conducted risk assessment to identify the applications, people, processes, systems and protocols that deals with the sensitive data<br /></b></span></h3><p><span>Once you have defined what is to be protected, next step is to find out who to protect it from? And how to protect it? Risk assessment can help you answer these questions. Identify all the key applications that processes that data, the system on which it resides, the network devices through it passes, the protocols that is uses, the people who uses it etc. Unless this is in place, your Data Loss Prevention (DLP) Solution cannot function properly.</span></p><p> </p><p>Read More:- <a href="http://www.cisoplatform.com/profiles/blogs/7-tips-to-dlp-implementation?__hstc=14264616.32b692c452cf977e76916601185bc2d5.1574326365088.1574954957601.1575010238877.5&__hssc=14264616.29.1575010238877&__hsfp=2230078507" target="_blank">7 Tips For DLP Implementation</a></p></li></ul><div><span style="font-size:14pt;"><strong><a href="https://www.cisoplatform.com/profiles/blogs/webinar-insider-threat-intelligence-creating-a-robust-information" target="_blank">READ MORE >> Webinar-Insider Threat Intelligence: Creating A Robust Information Security System</a></strong></span></div><p> </p><ul><li><h3><span><b>You have designe5 Tips To Evaluate Your Readiness Before Implementing Data Loss Prevention (DLP) Solutiond workflow to handle policy violations and data breaches<br /></b></span></h3><p><span>Incidence response workflow must be designed to tackle any data breaches. Flow-chart can be developed identifying steps to take to isolate the incident, people to notify immediately, and methods for the preservation of evidence for forensics. The entire process must be tested by conducting drills at regular intervals. A Data Loss Prevention (DLP) solution can only function with proper policy definition and violation test cases.</span></p></li></ul><p> </p><ul><li><h3><span><b>Your organization has clearly defined roles and responsibilities for each employee, including privileged users<br /></b></span></h3><p><span>Clearly, define the roles and responsibility for each employee. Identifying who is the owner of data? Who is the custodian of data? Who is the user of data? The answer to these questions will help you in assigning privileges to users on data. If your Data Loss Prevention (DLP) Solution doesn’t have proper privileges, the wrong access will never raise flags.</span></p></li></ul></div>Data Leakage Protection (DLP) via email gateway and Regulated Internet accesshttps://www.cisoplatform.com/profiles/blogs/data-leakage-protection-dlp-via-email-gateway-and-regulated2019-11-29T10:00:00.000Z2019-11-29T10:00:00.000ZDenisehttps://www.cisoplatform.com/members/Denise<div><h3><span><strong>About Project</strong></span></h3><p><span>The scope of the project encompassing Business Units, Support Functions, 200+ Processes and 8500+ employees. The project was an outcome of the data pilferage risk envisaged in terms of sensitive customer information and financial data. The risk assessment took inputs from various avenues such as internal audits, external audits, risk event, control committees conducted with the Top Management, business requirement were driven by the customer expectations.</span></p><p> </p><h3><span><strong>The overall Project approach:</strong></span></h3><ul><li><span>Risk Assessment</span></li><li><span>Management By-in</span></li><li><span>Business Alignment</span></li><li><span>Budgeting</span></li><li><span>Product Selection / Proof of Concept</span></li><li><span>Solution Deployment and Operations</span></li></ul><h3><span> </span></h3><h3><span><strong><span class="font-size-4">Checklist to consider in Evaluating and implementing DLP solution</span></strong><strong><br /></strong></span></h3><p><span><strong>Identify Critical Business Information</strong></span></p><ul><li><span>Right scoping to cover all the critical business processes</span></li><li><span>Defined roles and responsibility matrix</span></li><li><span>Identification of the sensitive information</span></li><li><span>Laying down the notification and reporting requirements</span></li></ul><p> </p><p><span><strong>Policy Definition and Finalization</strong></span></p><ul><li><span>Defining and documenting the policy statements.</span></li><li><span>Configuring the tool with the policy statements.</span></li><li><span>Establish the protocol for the policy violations and related logging.</span></li><li><span>Mapped the internet access and external email access with the role profiles to ensure that the access is strictly</span></li><li><span>as per business need.</span></li></ul><p><span><strong>DLP Incident Management Process and Consequence Management</strong></span></p><ul><li><span>The incidents review by the appropriate Incident Managers.</span></li><li><span>Incident analysis to determine Legitimate use of business information</span></li><li><span>Identify wrong business processes</span></li><li><span>Add new processes to address data loss risks</span></li><li><span>Policy fine-tuning recommendations to be identified</span></li></ul><p><span><strong>Policy Fine Tuning</strong></span></p><ul><li><span>Based on the findings from earlier exercise, policies needs to be fine-tuned</span></li><li><span>Policy fine-tuning reduces unwanted incidents</span></li><li><span>Helps organizations to transform the DLP tool for monitoring to block mode</span></li><li><span>Actionable Auditing and Policy fine-tuning would be a continuous process</span></li></ul><p><span><strong>Continuous monitoring and Management Reporting Framework</strong></span></p><ul><li><span>Establish a mechanism to feed in the learning to ensure mature program in place</span> </li></ul><p><span><a href="http://www.cisoplatform.com/profiles/blogs/data-leakage-protection-dlp-via-email-gateway-and-regulated-inter?__hstc=14264616.32b692c452cf977e76916601185bc2d5.1574326365088.1575010238877.1575020850371.6&__hssc=14264616.9.1575020850371&__hsfp=2230078507"></a></span></p></div>