Securing your perimeter: Malware and ransomware – we’re all targets

 

 

You lock your doors, set the alarm, make sure the cameras are recording, but you may be trusting one of your most valuable assets to an Internet provider’s basic security device that simply can’t keep up with today’s threats.

 

By Mark Turpin

What if all your seed-to-sale data was taken and the only way to get it back was to pay someone a ransom in Bitcoin? What would it mean to your business if someone held for ransom your camera system and storage for recordings, putting you in violation of DHSS regulations?

Chances are, you have heard of malware and ransomware. The US Department of Health & Human Services reported that in 2016 there were 4000 attacks each day, a 300% increase from 2015, and those numbers have only continued to grow. Consider that in more than 54% of reported cyber-attacks on small businesses, the attack resulted in financial damages exceeding $500,000 via lost revenue, customers, out of pocket costs, and related fees.  That’s an astounding number for a small business to cope with. For many businesses, it means the end of operations.

All types of businesses, governments, and organizations have fallen victim to an attack in recent years. There have been breaches such as Equifax ($650 million settlement) and cannabis-specific ones such as MJ Freeway in 2016 and 2017. In the case of MJ Freeway, they were unable to process transactions from over 1,000 dispensaries and could not track sales and inventory for weeks. This reiterates the value of the data on your network – these types of attacks aren’t just targeted at companies that take credit cards. The nefarious people and groups behind these types of attacks prefer your business. They are betting that you will not have the protection mechanisms in place to thwart their attack.

Threats today are constantly evolving and whether you know it or not, there are people attempting to get into your network every minute of every day. Many forms of malicious software operate silently, or lie in wait, periodically checking in and waiting for the command to wreak havoc on your network and all the systems connected to it. Because of this stealthy, predatory behavior, many businesses don’t know they have a breach until months or years later – if detected at all.

When you pick your security appliance, top of the list requirements should include real-time analysis of traffic to detect malware and ransomware. Security appliances with these features can detect malware when you click a link or attempt to download a file. Upon detection of malware, the system should immediately interrupt the action and prevent you from inadvertently opening your systems up to a bad actor.

It is important to note that malware/ransomware detection of traffic passing through your network from the Internet is only one attack vector. In fact, the most prevalent attack vector is email, but we will discuss email security in its own article. That said, if you allow your employees to connect to your internal network with their own personal devices, plug in a USB key someone gives you, and so on, you are potentially exposing yourself to an internally originated threat.

Therefore, we suggest a multifaceted approach to your malware/ransomware strategy which should include:

  • An email scanning service (basic scanning is included in Microsoft Exchange Online/O365 plans, while better-advanced threat detection is available from others for a quite nominal fee)
  • A network security appliance capable of identifying and stopping malware/ransomware attacks and downloads
  • Endpoint (PC, iPad, etc.) security for any device you allow on your network or containing business information. There are many standalone endpoint security vendors in the market, but few that incorporate both the security appliance and the endpoint; the latter is our recommended approach.

The need for advanced controls

The basic purpose of the network firewall is to provide you controls over what traffic should be allowed in & out of your network. There are valid reasons to allow traffic into your network from the outside. For example, your cannabis business may have a camera system you wish to access remotely. That access should only be allowed from certain places, like your home office, and not accessible by the entire Internet. Your network firewall will give you the ability to lock down the access to the camera system based upon IP address ranges.

   

You also need to control what’s allowed to leave your network for the Internet. You may have a point of sale system that only needs to talk to internal devices on your network and should not be talking to the Internet. Using your firewall, you would apply controls to prevent your point of sale system from communicating with things outside your internal network.

This basic level of functionality is incorporated into some Internet providers’ access device, but that device on its own is not intelligent enough to know whether traffic like “HTTP” (web browser traffic) is really HTTP traffic, or something harmful that could hijack your systems. We need something that can inspect the web traffic to ensure our browser session has not been compromised.

“Next-generation” firewalls (NGFW) are application-aware; this means they know what an email connection, web browser connection, or Internet phone call, should behave and look like on the network. If they detect, for example, that the webserver you’ve connected to isn’t behaving as it should, they can help protect you from what might be a compromised site.

Stop it before it happens with intrusion prevention

Cannabis businesses, like any business, need Internet connectivity to support operations. The fact is, once you connect to the Internet, malicious actors are scanning your IP address(es) around the clock, always looking for a way in. They may not necessarily know what your business is, or what is on the other side of your Internet access gateway or firewall, but they are going to attempt exploiting any vulnerability they can detect to get access to your network. In order to detect and block these attempts, you should leverage a system that knows what an intrusion attempt looks like and will stop it before it goes any further.

An intrusion prevention system (IPS) is more than just a firewall. Vendors will have a subscription that will go along with their firewall which includes access to IPS signatures. These signatures are traits of a network exploit so the IPS can identify when an intrusion attempt is occurring, what kind it is, and how to stop it. This subscription is necessary to receive updates to new signatures as attacks evolve. Unlike the firewall basic in/out rules, the IPS is inspecting traffic in real-time to determine whether traffic that should be normal Internet traffic, is indeed such. Vendors that sell NGFW devices will generally have a subscription you can purchase that includes the IPS capabilities.

Content filtering and geography-based security

There are undoubtedly thousands of things that can be done on the Internet, but there’s likely only a few that your employees should be doing while at work. For example, you may wish to block adult websites, lock down Netflix, but specifically allow Instagram and YouTube so you can upload videos of your latest harvest, buds, etc. With URL content filtering you can control what sites, and types of sites, your employees can access on your Internet connection.

Beyond the categories and sites, you can also block certain countries. You may not want employees visiting sites in countries that are known for high-risk traffic such as North Korea, Russia, and China. You can setup country-level blocking to restrict access to sites in these countries and always unblock a certain site if you find it is necessary for your business.

The ability to filter content and countries will generally be included in the NGFW platform, though it could require the purchase of a subscription in order to stay up to date with all the “movie streaming” sites, and the IP addresses that exist in North Korea, as these change over time.

In conclusion

Security appliances are a key component in protecting your business from cyber threats, both internal and external. It is important to remember that a layered approach to security is necessary; the security appliance is just one layer. Email security, endpoint security, sound procedures, and diligent attention to the alerts you receive from the security tools, are all layers that when combined will significantly put you ahead of would-be attackers. Work with vendors you trust and remember that as with most things, you get what you pay for. Security isn’t cheap – but the alternative could be orders of magnitude worse.

Mark Turpin began his IT career in 1995. He is the founder of Covene, a Cisco Premier Partner, and the CANA brand, which serves the legal cannabis industry. Mark serves on Cisco Systems’ Small & Medium-sized Business (SMB) Advisory Board, Tech Data’s SMB Advisory Board, Tech Data’s Software Advisory Board, and is a member of the PROMO Board of Directors.