Ed Note: I wrote this over the weekend, having no idea there was going to be a major ransomware attack across the world this week. Just a coincidence, but one that certainly reminds us yet again that this is an escalating challenge for all. – KW
The WannaCry Ransomware attack in May was unfortunate and widespread, but it had one beneficial effect – it helped to raise awareness of the plague that is ransomware. Yesterday I published this article explaining how education is the no. 1 target for ransomware these days, listing 15 different schools that have ended up in the news after being hit.
So, what is a school to do? Well, obviously your networking and security folks need to be on top of the many technical requirements that can help to ward off attacks. For example, it is vital that printers and other “end point” devices be secured, as these are a primary target for attack. But there is also plenty that you and I can do by helping to raise awareness and by being vigilant with our own passwords and related practices.
Here are 10 Tips to Minimize the Risks of a Ransomware Attack.
Some of these are geared towards users and some are for the tech team.
- Ongoing Computer Security Awareness Training: Not only is this a great idea, it is actually a regulatory requirement for many industries. In the case of Higher Education, Title IV eligibility requirements dictate a whole bunch of good security practices, including regular CSA training. It doesn't end there – the Gramm-Leach-Bliley Act, the Higher Education Opportunity Act, and several others also require vigilance and training.
- Proper Password Practices: Passwords are a huge vulnerability and there are still too many users using obvious, easy to hack passwords. All passwords should be at least 8 characters, and include a mix of numbers, upper and lower case letters and special characters. And stop using the same password all over. And change them frequently. Yes, this is a total PIA, but crappy passwords are one of the biggest vulnerabilities on our systems. Similarly, having your systems lock users out for a while if they try three incorrect passwords is a great way to obstruct hackers from breaking into accounts.
- Be far more hesitant to click on any link: Don't click on links that you don't recognize. Don't click. Seriously. Slow down. Cut it out. Be more careful. Look closely. Get it?
- Test Those Backups: Just making backups isn't enough, you need to periodically test them to make sure you can actually restore the data.
- Keep Software Up-To-Date: One of the main reasons to take software patches and updates is to patch holes the manufacturers learn of and correct.
- Secure Those Endpoints: Too often, printers and other end point devices are on the same networks as our computers and they have default admin passwords that have not been changed. All of these devices should be on their own Virtual Networks, and have their admin passwords changed.
- Be Wary of “Smart” Devices: Do you really need your microwave connected to the Internet? Seriously though, the proliferation of the “Internet of the Things” brings with it a rapidly growing set of connected gadgets – personal assistants like Siri and Alexa, smart controllers in our buildings, thousands and thousands of security cameras, and so on. As noted above, these are all vulnerable endpoints that need to be secured.
- Consider 2-step authentication for particularly sensitive systems or access situations: Many of us have probably experienced 2-step authentication in order to access some system or another. A typical example is when you have to enter a code that is sent to your phone in order to sign into a system somewhere. This is a powerful approach to security. If you have people remotely accessing systems at school, 2-step authentication can go a long way towards preventing successful hacking attempts.
- Computer Security Practices apply to your personal life as much as your work life. This isn't something that only matters for your computer and devices used for work. Many of us often have a elements of our work like connected to personal devices. Can you check your work email from your phone? There you go. If someone can hack into your phone or home computer, etc., they are often one step closer to accessing information or systems you use for work purposes.
- Turn off Admin privileges for accounts that don't need them: This is one of my favorite tips and is not something hardly anyone would think of for their home or personal computers. If you don't have administrative privileges and you accidentally click on a link that would install a malicious application, it generally won't be able to run. Yes, this means that if you want to purposely install something you need to log in as an admin (or have someone do it for you), but that is not much of an inconvenience compared to having to pay hundreds or even thousands of dollars to get the keys to unlock you files when they are locked down by ransomware.
So, what else should we be doing to help keep our schools safe from Ransomware? Please comment and share your thoughts, suggestions, experiences, etc. Thanks!