The Email Problem

The two most common distribution vectors for ransomware are RDP and email.

RDP is relatively easy to secure by interposing a VPN.  The email route poses a near intractable threat.

As mentioned under firewalls, a NGFW can do a good job of combating most email threats.  Webmail services can be made subject to a custom policy and subjected to deep ssl inspection.  This should trap most infected emails.  The policy often requires nomination of webmail services and because there are so many some may still slip through.  It is difficult to prevent end users from using their own insecure webmail services.

The business’ main email can be protected by mail scanners – there are various services available.  The effectiveness of these services is unknown

Virus scanning is in itself imperfect and hit rates for new viruses can be modest leaving open a significant security hole

The only highly effective strategy is browser isolation.  This is a difficult technique where the internet browser itself (eg google chrome) is actually running on a virtual machine on an isolated network segment.  If a virus is downloaded and opened on that network segment, it will not be able to propagate through the office network but will remain confined to the segment.  This can be implemented as a “browser server” which is itself a virtual machine in a unique segment.  In the event of infection, the browser server can be instantly rolled back to a safe checkpoint

It is moderately difficult to configure this so that the isolated browser can print.  Being able to attach or detach files to email in the main office network poses significant issues. 

Simple and cheap browser isolation solutions do not yet exist.  It is a key objective for cybersecurity and is a commercial opportunity for a clever developer.

The combination of securing RDP and browser isolation would reduce the ransomware risk to close to a negligible level.

How Much can a NGFW do?

A next generation firewall can add a great deal of security to the network. Configured correctly it will not allow connection to known malicious sites. It will scan all unencrypted traffic so has a good chance of blocking the downloading of a virus from a website if that download is not using encryption. One hopes that malicious websites do not have a certificate that is trusted although that cannot be relied upon. Malware authors have previously hijacked certificates to allow such traffic through. In general, the NGFW will not scan the contents of encrypted (https) webpages unless configured for deep ssl inspection. If so configured, many services within the network such as Windows Update may stop working .

Webmail clients such as gmail use https for communication with their servers so unless deep ssl inspection is enabled for webmail services then the NGFW is not protecting against ransomware delivered by that vector.

In order to enable the use of this email with the deep inspection necessary to detect the viruses it is necessary to install the NGFW certificate on all of the client computers that will use the email. Email remains the number one infection route for ransomware so this is a very important albeit moderately difficult to do step.

Remote Desktop Connection (RDP)

The remote desktop protocol (RDP) is a protocol used by remote desktop to connect to a windows machine remotely.  Although it is a Microsoft protocol, the client is available for Linux, Mac, ipad etc.

RDP access on a computer is enabled through the properties of “my computer” or “this pc” and users can be specifically allowed or denied access.

To access a computer on the network from outside, it is necessary to forward a port from the firewall to the server computer. So for example if the server on the network has a private address of 192.168.0.166 and the public IP address of the firewall is 203.63.95.100 then a rule needs to be placed in the firewall to forward the port.  The listening port is by default 3389 but this can be altered and the firewall can be configured to forward a different port.  For example 2299 on the internet side could be forwarded to 3389 on the LAN side.  In this example, to connect to the server you would type in to remote desktop connecton 203.63.95.100:2299

Although using RDP for external access is convenient, easy and cheap it should be thought of as unsafe and should not be done.  A large percentage of successful ransomware attacks are thought to be delivered through RDP either through misconfiguration, bugs or brute force attacks.

Remote access from outside the network should always be done via the additional protection of a VPN

The Attack Surface

The attack surface is a list of ways in which your network can be attacked.  For our small business network this includes

  • From the internet – a direct attack on the internet address of the router
  • Via email – a malicious attachment or link
  • Via WiFi
  • Via USB – infection inadvertently or maliciously through a USB port.  This might happen for example when you leave the consulting room leaving a patient with access to your computer
  • Via a network port – unsecured ports connected to your network can be used to attack it
  • Via a backdoor – remote support might have left TeamViewer or similar running on your network to facilitate intrusion