Security is all about managing risk. In other words, there are some things that you should really worry about, some things that are kind of important to keep an eye on, and some things that you don't need to lose much sleep over. Once you've prioritized the risks facing your environment, you can then proactively deal with each of them.
When it comes to IT infrastructures, what are the main areas of risk you should be concerned about? Or in other words, where should you spend a good portion of your time, energy, and money you have budgeted for risk protection? System and network administrators will differ on how they answer this question, but it's an important question to ask--and not just to ask but also have an evidence-based answer for.
To help us navigate this topic, I reached out to a colleague with lots of experience in IT management. Kelvin Jones is a seasoned veteran in the IT industry with over 20 years of experience. He is a certified IT Manager at the University of Cape Town, South Africa, and over the years has accumulated an array of 20+ certifications from Novell, Microsoft, Cisco, and others. He is originally from Canada and spent several years working on IT projects for UN agencies in Geneva, Switzerland, before settling in Durban, South Africa, where he currently manages cloud services for CLOUD29. Let's see what we can learn now from Kelvin's experience with minimizing the attack surface faced by a typical IT infrastructure.
You might be surprised, or maybe not
Email. This is, in my opinion, the biggest attack surface in any company.
After that opener, you might agree or perhaps you're ready to jump up and disagree that email is not the biggest attack surface, but think about the endpoints it touches and exposes. You might then say "hold on, browsing the internet is even more pervasive, and by your definition, an even bigger attack surface!" Well, feel free to disagree but the difference between email and a browser is this:
Firstly, most employees today understand that they don't want to visit certain websites.
Secondly, the company firewall already blocks visits to the known dodgy areas of the world wide interweb.
With email, however, their company mailbox is their trusted companion. Being such, employees let their guard down when using it, making the threat greater and probability higher that some bad boy, like ransomware, can find its way in. The risk of this happening via a browser is there but far less. That said, I must admit that drive-by downloads and click-bait attacks right from the modern browsers news-enabled home page are on the rise and becoming very sophisticated. I fell victim to that myself last year--but that's another story.
The size of your company doesn't matter either, from the home office to the enterprise, email is the biggest attack surface in your company.
I initially thought that with Office 365 (O365), or even its competitor, Gmail for Business, would take over and help businesses move to a safer email system that's not based on POP or an insecure IMAP platform. After all, O365 has been growing by leaps and bounds and Google seems to corner a lot of the market.
While the move is happening, not all small-to-medium businesses are on board yet, mainly due to cost. I single out POP and IMAP based systems because these are typically cheap today and they are cheap because the anti-virus (AV) and anti-spam (AS) engines are usually free and not as well maintained as their paid-for counterparts.
In fact, on the cloud apps solution (CloudApps & Desktops) that we build for our customers, we don't allow POP and IMAP email to be used, the protocols are blocked at the datacenter firewall by default. We encourage the use of our own hosted Exchange in the datacenter or some form of O365 mail. We do allow POP and IMAP if they can prove they are using a well-known or trusted platform like O365 or Gmail for Business or have a reliable security system for inbound mail. If they don't have any of the above, we offer them a value-added service that's been sanitizing our email for years, Mimecast. I don't own shares in Mimecast nor do I work for the company, and despite my differences of opinion about the direction they are heading with their pricing and partner model, they still build what I honestly believe is the world's best email security and archiving system.
A defense-in-depth strategy to mitigate ransomware
Before we get into that, though, let me explain how we use our firewalls, remote monitoring and management (RMM), antivirus (AV), RansomFree and Mimecast as part of a defense-in-depth strategy to mitigate ransomware, phishing, and impersonation attacks in our email and cloud apps systems. This is how we reduce our biggest attack surface that is email.
We begin with the firewall. I don't want to downplay the value of a firewall but I won't extol its virtues either. In some cases, a NAT router can be almost as effective if it has basic outbound port blocking. That said, we have a Fortigate firewall in the datacenter and we do recommend them to our customers when they need to keep their bandwidth under control, ensuring their Internet connection is used only for business. The real advantage I'm finding is the firewall's ability to trap dial-home attacks that may get launched from a device on the company network. Many firewall vendors have this feature and they maintain a list of known botnets, as they're called, to help stop an attack that is launched from one of the endpoints on your LAN which could ultimately end in your systems being ransomed. That's layer one of our defense-in-depth. I also use the firewall to prioritize certain traffic for quality of service. These two features are what your average NAT device, home-based Internet router, doesn't have.
Let's move on to the RMM and AV, leaving Mimecast for last. On the RMM side, we run a script that will alert us if ransomed files are found. While this does not protect a system against ransomware, it does give your technical team a heads up, optimistically early enough that they can prepare to deal with the customer more effectively and restore the system in a timely manner.
In terms of an AV engine, we use Bitdefender because it was the first that we found to combine ransomware mitigation techniques into their engine. It's delivered via the SolarWinds RMM, which makes it easy to keep an eye on and maintain. In at least one attack that we're aware of, it caused the server to shut down when being ransomed and because the attack was not embedded so when the server restarted, the attack was mitigated effectively enough that only a few encrypted files needed to be restored without any need for a full system restore. Nice!
This led us to look for even more protection, though, and we came across RansomFree. This is a nice free honey-pot style ransomware fighter that works. I'll admit we don't put it on all our cloud apps systems but we offer it to the customers who want the extra layer. It tends to prompt the users a bit more about our actions, which is something we like, and when you first log in, it's not totally in your face. Those that use it love it. It's free, as the name suggests, and always will be according to its creators, so it's worth a look if you haven't heard of it.
Finally, let's talk about Mimecast. Here's where I'd like to ask if anyone has other suggestions for products that might be, in your opinion, as good or better (Answer in the comments or to Mitch directly.) Honestly, their cost and partner model has made me ask this question. If it weren't for that, I'd be praising them without restraint. So, what's so good about their security product? I've found three basic elements that provide security beyond their rock-solid AV and AS. They have:
- layered attachment protection
- link protection
- impersonation protection
Attachment protection is what Mimecast calls it, but I'm calling it "layered" attachment protection because they just recently enhanced this service. Let me give you the basic rundown on each one, you can check them out online for a deeper dive if need be.
Layered Attachment Protect
This service scans inbound attachments and passes it on to you in a number of different ways, depending on how you configure it. In one method, it literally converts every attachment to a "safe" attachment, creating something like a plain text version of the original document. No code, no viruses, and no dial-home attacks are possible. Most are not a fan of this as they rely a lot on formatting, so the option I like the most is the Pre-Emptive Sandbox. This opens each attachment in a sandbox to see if any viruses launch or if anything attempts to dial home. It can be configured to open only specific types of documents and sanitize them before it passes them on to you. There is an awesome new feature they just made available too, and this is why I call this "layered" attachment protection. It can be configured to not only sandbox-sanitize the document, but also to replace any links in the document with safe links. If users click a link in the document, they are directed to the Mimecast Link Protect security feature. Is that cool or what? You might be thinking about how slow this must make your email; however. I must say, although there may be minor delays, it's incredibly efficient at doing all of this.
When a user clicks a link in their email or an attachment that's been scanned with attachment protect and configured as explained above, they are redirected to Mimecast's "protect" site where the link is checked, and as they say on one of their community portals, the system "performs a layered security check on the destination site." If the link is found to be safe, the user is then redirected to the original website. Talk about error code ID10t proofing your email! Do you find this as cool as I do? If that's not enough, get this, it can be set to automatically provide end-user education. After a certain percentage of clicks on protected links, the system will land them on a page that explains the dangers of indiscriminately clicking on links and creates awareness that while they are protected. they still need to be vigilant. Is there anything out there that you use or have found with the same or similar functionality? I'd love to hear about it.
This is something that Mimecast developed and just gave it away. I believe they did that because it's probably the least effective of all their products but that's mainly because the settings are managed according to criteria that you need to specify. It attempts to use common patterns and identifiers that are found in "whaling" attacks aimed at senior management. These attacks typically get past spam engines because they are not spam and don't contain suspicious links. In any case, it has proven effective and adds yet another layer to your defense-in-depth email security strategy.
As in the material world, there are also no perfect security systems for the virtual. That said, there are still a number of systems that when combined to create a defense-in-depth strategy, can be very effective. As an anecdotal aside, using the above, we have managed to run our cloud services 100% ransom free in 2016 and since then have had just one customer system ransomed. While it's a bit embarrassing for anyone to admit, we're still proud of our achievement that until the time of writing this article, out of the thousands of users in our cloud, only the 12 users associated with that customer have been affected by ransomware. I believe that speaks of the power of reducing your attack surface, not just in your email but at all levels. Hopefully, some of this helps many of you. If you have any suggestions for improvement or any other products that you feel would make a good replacement for Mimecast please let me know, I want to hear about it!
Photo credit: Bing Images. License = All Creative Commons