Technologies Begging to be Ransomwared
-
All kinds of behaviour put you in the crosshairs for ransomware... lacking backups, not patching quickly, sloppy documentation, LAN-based network design, legacy applications, and on and on. But there are also some technologies that make you a huge target. Technologies that on their own may not be insecure per se but just provide an ideal attack surface or advertise to an attacker that your network is probably legacy and poorly secured.
Consistently every customer or story I hear about someone getting ransomwared, it is the same set of obvious tech that for years everyone with a modicum of effort knows are going to encourage ransomware style attacks and have been mostly legacy for years if not decades. Simply replacing any of these isn't a panacea, anyone can be attacked. But this seem to be the clear low hanging fruit that both make it super likely that you will be easy pickings and essentially advertise to attackers that you are open for attack because you did not change any of these things.
- Running Windows
- Active Directory
- Mapped Drives / Traditional Network Shares
Those seem to be the big three. The core on which the entire effectiveness of ransomware attacks was designed. The "get in anywhere and likely get everything" triumvirate.
Then other technology often exposes these more, advertises them more, or extends their damaging reach beyond the traditional LAN...
- RDP Exposed Externally
- VPN used to extend network access
You can certainly run Windows securely. But few do. You can make AD pretty secure, but that's never how it is used, it is always used to make security less, not more. People want easy, security is hard. Each of these could be used on its own securely with effort. But in the way that they are standardly used, they come together to make the most fragile of networks that should be insanely obvious even to those not very technical that each one just exposes more and more risk. And clearly these must be what attackers are looking for when identifying victims where they are most likely to hit paydirt. Because each of these tends to represent legacy (which means lazy 99% of the time) thinking. Not necessarily from IT, but easily from business management who refuse to update or refuse to take additional security steps. Sure you can have that VPN go to a DMZ and not the LAN, but who does that? Sure each of these can have 2FA, but we all know that people with these technologies are the least likely to be willing to do so. Sure those mapped drives might be super locked down, but c'mon, we know that they almost never are. And so on. Someone has these techs and is using them "right". But 99% of the time if this is the tech in place, it's because the effort isn't there or the business willingness isn't there. Ransomware attackers know exactly what makes a likely good target.
-
I'd love to see some proposed replacement solutions to this situation.
Consider a one to one device to user.
Consider a one user to many shared devices.
Assume the ability to lock the workstation is a requirement in all cases.
Edited for clarity.
-
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
-
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
-
@travisdh1 said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
So if you're going to go that route - why change? I mean other than there are no licenses involved.
-
@dashrender said in Technologies Begging to be Ransomwared:
@travisdh1 said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
So if you're going to go that route - why change? I mean other than there are no licenses involved.
Because it removes AD. Sure the infected user can still infect the mapped drive. But that's it. No AD giving access to everything.
-
@dashrender said in Technologies Begging to be Ransomwared:
I'd love to see some proposed replacement solutions to this situation.
Consider a one to one device to user.
Consider a one user to many devices.
Consider many devices to one user.
Assume the ability to lock the workstation is a requirement in all cases.
These questions are always hard because in all those cases the technology above may or may not be doing something important. All of these exist commonly without AD. The assumption that AD and mapped drives are someone intrinsic doesn't make any sense. Given that, it's knowing what you expect exactly from AD or mapped drives.
It's like saying "well how do you replace a car in getting from San Diego to Tokyo". Well since there is no obvious need for a car to get between those two points, it's understanding how you are imagining a car to be used that makes all of the difference to answer your question.
-
@dashrender said in Technologies Begging to be Ransomwared:
Direct IP printing to printers (I'm wondering what exists to secure this?)
Mostly... NOT using direct IP printing to printers.
Also, printers are super insecure so generally no one cares because almost no one secures printers physically anyway.
-
@dashrender said in Technologies Begging to be Ransomwared:
Centralized management would be through RMM solution
Nothing wrong with that, but why go to RMM? I've never seen any company do this.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface.
What? Why? No major solution requires or even hints at that. This is a huge leap in requirements.
Like... going to the store requires that you take a blimp. Wait, a what? Why would it even occur to you to have a requirement like that, it's so counterintuitive and out of left field.
Why would you just work with local folders like normal?
-
@dashrender said in Technologies Begging to be Ransomwared:
Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them.
Not like a mapped drive, they cannot. Totally different. Still a risk to be considered, but an extremely different one. This is the dangerous kind of thinking that makes people feel like mapped drives might make sense when they simply do not.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Most of these technologies (and mostly with mapped drives, too) there are ways to have this be extremely transparent. But mapped drives tend to expose the file server in ways that sync clients do not.
-
@jaredbusch said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
@travisdh1 said in Technologies Begging to be Ransomwared:
@dashrender said in Technologies Begging to be Ransomwared:
One user to one device should be the easiest.
A local account on the computer for the user - no need for AD.
Use something like Next Cloud, OneDrive, Sharepoint, Google Drive, etc for files - at least personal files.
Direct IP printing to printers (I'm wondering what exists to secure this?)
Centralized management would be through RMM solutionSolving the shared files bit it's overly hard, I assume. Sharepoint and OneDrive both offer ways to share files with other users, at least in your own organization. I don't know enough about NC for this.
Of course, when it comes to file access, the biggest thing is training users to not have a Network Share, but instead they have to use a web interface. Now of course someone is going to jump on me and say - wait Dash... you can use the sync clients for NC, OD, SP, GD, etc and those things will then show up in file explorer... and of course, you're right, but then the cryptoware can crawl them and encrypt them. Of course there can be some ways to recover from that being hit, but I have to ask is that a risk we really want to deal with?
Why do you think network shares can't be used with NextCloud? Windows can use webdav to connect to a network share, and they fixed the speed issues it has in Windows 8 (Windows 7 webdav was so slow it was unusable).
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
So if you're going to go that route - why change? I mean other than there are no licenses involved.
Because it removes AD. Sure the infected user can still infect the mapped drive. But that's it. No AD giving access to everything.
Exactly. It's AD + Mapped Drives that becomes the biggest problem. The two together exacerbate security issues to an extreme degree. The idea is this transparent access to everything, from everywhere, in file form. It's like having all the money just in a big pile on the kitchen table. Of course it is quick and easy and convenient. And all those things also mean hard to track and secure.
-
@dashrender said in Technologies Begging to be Ransomwared:
Of course they can be.. but Webdav is no different than SMB when it comes to ransomware.
At a protocol level, yes. In any meaningful way, no. Mapped drives from NextCloud are quite different than mapped drives from Windows. You can go to great lengths to make them behave similarly, but by default, they are quite different with security wins going strongly to NextCloud (or similar tech.)
-
@dashrender said in Technologies Begging to be Ransomwared:
I'd love to see some proposed replacement solutions to this situation.
Consider a one to one device to user.
Consider a one user to many devices.
Consider many devices to one user.
Assume the ability to lock the workstation is a requirement in all cases.
The problem here is that naturally AD and mapped drives do nothing to aid these situations. So you can "replace them" simply by "never having them." It's literally that simple.
Imagine the question in reverse. Ask "since all these things are handled to easily without AD or mapped drives, tell me how I could use these MS technologies and still have all these things I've always had without them!"
Seems silly, right? All of those use cases have no dependency or special tie to AD. AD doesn't "do" anything special. It's not like replacing gluten in a dough recipe where it performs a specific and necessary task that has to have an alternative if you use gluten (and gluten serves no purpose but that one thing.) AD has no role in those scenarios, so asking for the replacement has no clear answer because there's no problem to solve.
-
@dashrender said in Technologies Begging to be Ransomwared:
Assume the ability to lock the workstation is a requirement in all cases.
In your particular scenario, I suspect that there is no need for this. You need to lock applications, but not the screen. Doing a physical lock, rather than a logical one, seems counterintuitive. What function does this serve as the data and data sharing requirements are naturally and appropriately handled elsewhere without blanking the screen. Nothing wrong with having a screen lock, but why is the operating system considered important to hide rather than data?
-
@scottalanmiller said in Technologies Begging to be Ransomwared:
You need to lock applications, but not the screen
There is no function in any EMR to lock the application so nothing is visible.
Would be a nice feature. So the easy answer if you lock the screen.
-
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
We do this with Linux and NextCloud and/or Zoho WorkDrive. This is so natural and obvious I just can't fathom the question. Like... I can't find the challenge that you are looking to solve. And I can't think of any way that AD or mapped drives would improve this in a meaningful way.
Having users without AD is just as easy (or easier) than having them with it. Just create users where you want them, have NC installed automatically through countless automated processes, have them log in once and voila. Everything covered.
This isn't just easy, it's literally "out of the box" behaviour in several operating systems. Ubuntu, for example, doesn't require the NC client, it has integration with NC, Google, and other cloud services out of the box. Just sign in when you first log in and ... easy peasy. Makes the AD / mapped drive approach seem .... unnecessarily convoluted. And no need to reboot after putting in access, either.
-
@jaredbusch said in Technologies Begging to be Ransomwared:
@scottalanmiller said in Technologies Begging to be Ransomwared:
You need to lock applications, but not the screen
There is no function in any EMR to lock the application so nothing is visible.
Would be a nice feature. So the easy answer if you lock the screen.
There is, just choosing the wrong EMR is the bigger issue. Plus they use RDP, so another layer of locking options.
-
@dashrender said in Technologies Begging to be Ransomwared:
Consider a one user to many devices.
Consider many devices to one user.That's the same thing, twice.