The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 17-10

New approaches to protection against ransomware

Attacks like WannaCry have shown that conventional protection measures are often inadequate. To increase security, greater focus should be placed on user rights management and application control.
Michael Kleist, CyberArk
October 5, 2017
Content:
It Security
avatar
This text has been automatically translated from German to English.

What is clear is that traditional security approaches based on the use of antivirus software or malware scanners are insufficient for ransomware defense.

Such solutions try to detect attacks using signatures. If a malware is detected, the protection software blocks it, preventing access to system resources.

It is precisely at this point that the serious disadvantage of these solutions becomes apparent: Because they rely on malware detection, they often cannot provide reliable security against the growing number of new, previously unknown ransomware.

Companies need to take additional measures, common ones include application blacklisting, application whitelisting, application greylisting, and least privilege control.

Blacklisting allows organizations to prevent malware from executing in their environment. This method is hardly useful for protection against ransomware.

By its very nature, application whitelisting is 100 percent effective in the fight against ransomware, as this method blocks all applications that are not explicitly trusted.

Although ransomware attacks can be prevented extremely effectively with this containment strategy, it too is difficult to implement in practice.

In contrast to the blacklist, the creation and management of a whitelist is very time-consuming, since not only all the applications in use must be taken into account, but above all the updates of the applications.

Finally, the update may change the check value - such as a hash - of the approved application in such a way that it differs from the entry in the whitelist and consequently the program no longer starts.

Greylisting of applications offers another option. It allows organizations to prevent known malware from running on blacklists in their environments while limiting permissions for all applications that are not explicitly trusted or unknown.

This classification can take place on the basis of various parameters that an administrator stores centrally. The greylisting procedure thus offers more flexibility than whitelisting and can be used to prevent actions by unknown applications such as establishing an Internet connection, accessing the network or reading, writing and modifying files.

By limiting permissions, ransomware is also generally unable to access and encrypt files. Last but not least is the least privilege control, which is not only a security routine, but also one of Microsoft's "Ten Immutable Laws of Security".

Ransomware currently presents itself as a very reliable and suitable method for attackers to present companies with the dilemma of writing off the hijacked data or - in the hope of getting the data back - making a payment.

The classic security solutions, such as antivirus software, are not effective in defending against ransomware, so additional security measures must be taken. The analysis of various options shows that blacklisting and whitelisting alone are also not suitable means; the least-privilege approach and application control in particular prove to be efficient.

A first step is to revoke local administrator rights, as CyberArk research has shown that a large number of modern malware require such rights to function smoothly.

However, this measure is not sufficient. Equally important is application control with greylisting. With the combination of a least privilege approach and application control, there is an effective shield against malware encryption, and without compromising user productivity.

avatar
Michael Kleist, CyberArk

Michael Kleist is Regional Director DACH at CyberArk in Düsseldorf.


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.