Ransomware threats have been increasing steadily since they started in 1989, and the methods are also diversifying. In addition to threatening with leaked data from the initial simple file encryption level, a new type of attack called RDDos and Rasominer has emerged.
The important part here is data, and this data includes important information about the company, system access account information, and personal information. However, if it is possible to generate revenue from data, it is expected that ransomware will continue to increase and methods will be diversified in the future.
Companies have been responding to ransomware for a long time and are upgrading existing systems or building new defense systems to respond to new types of threats. The general multi-layer defense system can be classified as follows.
The fundamental and key to this multi-layered defense system is to prevent threats. So, most of the security areas are concentrated here, and a lot of costs are used here by most companies.
Points to be improved for security in the terminal environment
Threat prevention is an area that is being responded well through specialized solutions as much as it is important, but as the terminal environment has recently changed to Windows 10, some areas need to be improved in terms of security reinforcement.
The first is GPO-based OS hardening. Most countries are performing GPO-based hardening for Windows 10 terminals as compliance, but Korea is not yet prepared for this. If it is a Windows 10-based terminal environment, it is necessary to actively respond to this.
The second is patch management. Patch management is an area that has been operating for a long time, and everyone thinks that it is so important that there is no need to talk about it. However, many companies recognize it as a solution to satisfy compliance and operate only in a form that satisfies the minimum requirements of compliance. Patches are the most reliable and basic requirement to remove security threats in advance, so an approach is needed from the perspective of more active security enhancement, not from the framework of compliance.
When it comes to ransomware, recovery solutions are recognized as a major area, and in fact, many surveys show that backup/recovery is considered as a key area in response to ransomware. Of course, backup/recovery is an important area, but detection must be preemptively reviewed in order to effectively respond to the latest ransomware types. Backup/restore is useful for recovering encrypted files, but it cannot respond to threats through data theft.
The detection to counter these things is to minimize the damage by detecting the propagation of threats inside. The important thing here is the terminal. In other words, most of the ransomware is propagated internally through the movement between terminals, so detecting the radio waves between terminals can be seen as the core of detection.
The importance of AD security
So, what information is essential for this propagation? The most necessary information in radio waves between terminals requires an account and authority for access, and a means for disabling the security of the terminal is also required if necessary.
AD (Active Directory) is the main target of attack for these requirements. AD also provides management of information on all terminals, access accounts, privileges, and security settings called GPOs. In other words, AD is bound to be a major attack target in all security threats as well as ransomware.
The general ransomware propagation path is as follows.
Until now, AD was like an ugly duckling that was not welcomed in the security realm. However, as the terminal environment changes and the security vulnerability increases due to changes in the working environment such as telecommuting, security vulnerabilities for AD, which have not been revealed so far, are emerging.
This starts with the security vulnerability in the AD management process. The security vulnerability of the management process discussed here is a concept in which unauthorized access or change is controlled, and only the necessary privileges are allocated through the least privilege management to prevent problems arising from granting additional privileges in advance. This seems to be that a stronger security management process could not be created as the limitations of the functions provided by AD (access control, fine-grained authority assignment, etc.) and AD were viewed only from an operation point of view.
In addition, it is possible to establish an efficient real-time monitoring system only by having visibility of changes occurring in AD. Naturally, recovery can be seen as an essential element in any form. The factor to be considered in this recovery is to provide a backup/recovery model suitable for the characteristics of AD.
Quest software, which is a global leader in AD security and introduced the concept of AD security for the first time in Korea, detects GPOAdmin and Active Roles, an access control and integrated management solution in the management process from a protection point of view. From a viewpoint, it provides Change Auditor for real-time detection of internal/external threats, and Recovery Manager for AD, an online-based AD recovery solution from a recovery viewpoint. Here, it is divided into GPOAdmin for GPO and Active Roles for account information, which are the two core AD data in the protected area.
Since most of the threats spread through AD proceed in a form that is difficult to distinguish from normal management processes, it is difficult to effectively secure them with general security products, and the damage caused by this is enormous, requiring a specialized solution or management methodology. Quest Software provides solutions optimized for AD services in all areas of protection, detection, and recovery. It will be the best option for companies to strengthen AD security and maintain corporate business continuity.
Chae Hongso He developed Quest Software Consultant, Search Engine, Groupware, SSO, Framework solution, and application and infrastructure architecture. He is working as a consultant for network traffic-based performance and security solutions and account and Microsoft-based platform security solutions with experience in consulting and building various performance management integrated solutions.
[알림] E-Newspaper Internet and Next Daily will hold a free online conference for “2021 Smart Digital Workspace Innovation” on Thursday, June 3 from 9:30 am to 5:00 pm. In this conference, the latest technology, practical application know-how and success stories of global companies in the digital workspace field will be introduced in detail. A method to maximize the productivity and efficiency of the corporate work environment changed in the non-face-to-face era is also presented.
Source: 전체 – 넥스트데일리 by www.nextdaily.co.kr.
*The article has been translated based on the content of 전체 – 넥스트데일리 by www.nextdaily.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!
*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.
*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!