5 Steps to Take on Ransomware Using a Defense-in-Layers Approach

While cyberthreats and ransomware attacks cannot be eliminated, this strategy can reduce the chance of devices getting infected with the malware.

by Sam Musa / April 14, 2016

Cyberattacks target everyone, including small companies, large companies, government agencies, executives and even salespeople. Cybercriminals are using sophisticated methods to gain unauthorized access to information systems to steal sensitive data, personality identifiable information or even classified materials. Some of the creative methods that attackers use to gain unauthorized access are backdoor programs, social engineering and ransomware. Ransomware, as the name implies, is software that encrypts files and then requires payment of ransom in order for a person or organization to be re-granted access to their restricted files. Thus, ransomware is an access-denial type of attack that prevents legitimate users from accessing files.

While threats and ransomware attacks cannot be eliminated, use of the defense-in-layers security strategy is the best approach in reducing the chance of devices getting infected with the malware. Defense-in-layers advocates applying security measures in separate but overlapping protections to ensure the implementation of a solid security posture. The security layers are designed to complement each other by ensuring that a vulnerability that’s not mitigated in one layer is mitigated by a different control available in another layer. 

The five layers of this approach are:

1. Develop a Comprehensive but Self-Contained Policy

IT senior management must develop a policy as the foundation layer for their security program. The policy needs to highlight the key steps the agency is establishing to address ransomware. The policy acts as an enforcement agent to grant security management the authority to apply adequate measures and take appropriate actions against violations. The policy needs to state the reasons for and the benefits of introducing the new changes. The policy also must state what the rules are — what’s permissible and prohibited with minimal reference to other documents.

A critical component of a policy is an enforcement clause: Agencies must state the consequences of not following the policy. Agencies also must lay out the steps that will be taken to enforce the policy. Once the policy is in place and has been distributed, it’s certain that some users will not follow it intentionally or unintentionally; therefore, a multilayer security approach is required to enforce the policy, which takes us to the next step, filtering traffic at the network level.

2. Content Filtering Proxy for Web and Mail Traffic

A content filtering appliance at the network level is a critical element in ensuring a strong security posture. IronPort, Blue Coat and other content filtering appliances allow Web and mail filtering by blocking .exe, .bat and other selectable file extensions. Reputation filtering and blocking by category are also allowed. Although carefully thought-out implementation of content filtering, intrusion prevention and sandboxing technologies will block most malicious traffic, there’s still a worrisome chance of sophisticated malicious malware penetration through these measures. Thus, there’s a need for another layer of security that can be implemented to ensure the policy enforcement, which takes us to the third step: limiting users’ access modes and authorization levels.

3. Limited-Mode Access


Agencies should refrain from granting users administrator rights to the local machine. In general, agencies should not grant more than 2 percent of their workforce administrative rights. In rare occasions, where an essential tool requires persistent admin rights, this authorization may be granted, but practical methods to restrict the authorization to the specific task or program should be considered. Placing the network users in a limited-mode access greatly reduces the chances of network malware infections. Even if a device becomes infected, the infection is contained by not allowing domain or network access from a limited-access machine. 

As the access level signifies, limited privilege means that users still have some ability to create and execute programs at their HKey Local user level. Some ransomware takes advantage of this vulnerability by infecting machines and then performing privilege escalation; as a result, network drives may still get infected. In addition to backing up important data, network administrators may apply application whitelisting, or limiting execution ability to specified programs, as an additional layer of security to limit this possibility.

4. Enable AppLocker


AppLocker is a Microsoft application-whitelisting tool that’s used to limit file execution from unknown vendors. The tool works by executing only approved applications. It also prevents programs to run from directories where users have write access. AppLocker can perform a location-based whitelisting, where files are restricted from executing unless they reside in a controllable directory. It also offers a mechanism through which unsigned code can be blocked. Most Microsoft operating systems come with AppLocker, through which system administrators can enhance the security posture. AppLocker is another layer of security, but it’s not the only measure agencies should rely on. As the old saying goes, one ounce of prevention is worth a pound of cure — it is much easier to prevent malware from reaching the network in the first place by teaching users not to access suspicious sites or download malicious contents. This can be done by conducting security awareness training.

5. Continuous Awareness Training

It is now virtually impossible to spot expertly crafted malware and ransomware in particular, which is increasingly and exactingly honed to an individual recipient. Therefore, it’s also necessary for agencies to maintain awareness of innovative new types of malware. A strong IT security program cannot be executed successfully without training users on security threats, policies and techniques to protect their assets. Agencies must understand that users are one of the essential lines of defense against cyberthreats, so there is a need for continuous awareness training.

The training must focus on providing knowledge to protect information systems and sensitive data from both internal and external threats. Training contents may include social engineering techniques and how to avoid them, identity theft, cyber sexual harassment, peer-to-peer sharing programs and steps on how to avoid posting sensitive information online. Agencies should offer awareness education throughout the year through formal training, monthly tips and wall posts to remind users that security is everyone’s responsibility. Security emails and announcements should be informative, rather than simply repetitious. 

In conclusion, the goal of information security is to ensure confidentiality, integrity and availability of assets. States and government agencies must not forget that security controls encompass technical measures, such as sandboxing, as well as nontechnical measures, such as awareness training. Technical measures alone are not enough to ensure the security of an agency’s assets. For example, even a perfect sandbox environment will not detect malware that explodes only six weeks in the future; the exploiters can wait.

There is no one solution that fits all — threats cannot be eliminated. Nonetheless, IT security management may mitigate risks by backing up data, testing the data-recovery process and applying security measures in overlapping independent but coordinated layers — a defense-in-layers approach.

Dr. Sam Musa has over 18 years of experience in a senior leadership role with strong enterprise architecture, cybersecurity, project management, compliance, risk management and strategic planning. Musa currently serves as an adjunct network and cybersecurity professor at the University of Maryland University College. He also serves as the chief of the IT services Branch at the Equal Employment Opportunity Commission.