The first and most important action is to educate users of the systems. Most ransomware and cyber-attacks, in general, rely on a user taking an unintended action; commonly a user executes a seemingly normal but nefarious file. Because of this attack vector users should be wary of unsolicited emails, especially ones with attachments and links. To take this one step further users should know what types of files and operations commonly make changes to their systems. This will help them understand when changes are normal or something out of the ordinary is attempting to make changes. To name a few, for example, users of windows machines might want to investigate exe, msi, bat, or ps1 file types prior to executing them.
This brings us to the next area: file extensions and execution permissions. First, if you have not already, enable the visual option in your operating system to view file extensions. Some malware and ransomware can be crafty and display icons that are visually similar or identical to non-nefarious files but trigger a domino effect of unfortunate events when executed. By displaying file extensions, users gain familiarity with common files types (like we discussed above) but it also assists by visually displaying the type of file prior to execution. Further, we can adjust the local security policy of our systems to deny files the ability to execute from areas such as temp, local application data or cache. This removes the ability for attacker’s file to execute but if the user copies the file to another location it may still cause damage. Therefore, prompting users to elevate privileges by enabling features such as Windows User Access Control can provide additional layers of security.
Another equally important action is updating your software regularly. Software developers frequently patch and push fixes for known bugs in software. Patching regularly is a small step that can significantly enhance the security posture of the systems. Consider using a service such as Cygilant's SOCVue Patch Management that combines best-of-breed technology with our 24x7 global SOC (GSOC) analysts to act as an extension of your team. Similarly, implementing reputable endpoint security software such as Carbon Black or McAfee, for example, can help protect systems from attacks or exploits.
Last but not least back-up your systems, data and documentation. Along with regularly patching and updating your systems, make sure you have an effective back-up strategy. This includes testing back-ups, following a date retention policy and the ability to spin-back-up your systems for cases of disaster recovery. The biggest gap observed here is typically with regard to testing back-ups. No system administrator wants to find out after a ransomware attack or at the time of restoration that a back-up does not work.
It may seem like a daunting list of what we need to do in order to protect ourselves, but to take it at a high-level: educate users of attacks and security controls, follow a least-privileged access model, implement trusted security software, patch your software and back-up your systems in case something does happen.