Firewall Best Practices to Block Ransomware by Sophos

Date : 7-Aug-2019
Location: Malaysia

Key Takeaways:
  • Today, getting pwned is the rule, rather than the exception. Organisations that have managed to avoid breach or cyberattack are few and far between, with no industry or individual immune. According to Malaysia Computer Emergency Response Team (MyCERT), there have been more than 4,400 incidents reported in Malaysia till June 2019.
  • Cyberattacks, while not inevitable, are highly probable. The reason behind this is because companies can’t see what’s happening on their endpoint devices, leaving them struggling to prevent attacks or even knowing how and when they happened.
  • At the same time, the threat landscape is constantly evolving, and attackers are getting smarter, meaning organisations are spending longer securing their networks and their data. 
  • On average, organisations spend four days a month investigating potential security issues, and roughly 10 hours to detect significant threats. With the most common threats continuing to include ransomware, time literally means money. It’s therefore critical that organisations take a proactive approach to cybersecurity – from deploying the right tools and skills, to having support from management to invest and train staff.
  • Besides leveraging on a good anti-ransomware tool, organizations must also implement best practices for firewall deployment specifically for ransomware safety.


Aaron Bugal, Global Solutions Engineer, Sophos, offers ix firewall best practices to block ransomware in an organisation:
  1. Ensure the right protection is in place. From high-performance next-gen firewall IPS engine to sandboxing, to encryption and backup, organisations need to put the right tools in place to take a proactive approach to cybersecurity.
  2. Reduce the surface area of attacks. Review all port-forwarding rules to eliminate any non-essential open ports. Every open port represents a potential opening in the network. Where possible, use VPN to access resources on the internal network from outside rather than port-forwarding. In addition, make sure open ports are secured by applying suitable IPS protection to the rules governing that traffic.
  3. Apply sandboxing to web and email traffic to ensure all suspicious active files coming in through web downloads and as email attachments, are being suitably analysed for malicious behaviour before they get onto the network. As part of this, disable macros in document attachments received via email, which will stop a huge number of infections in their tracks.
  4. Minimise the risk of lateral movement within the network by segmenting LANs into smaller, isolated zones or VLANs that are secured and connected together by the firewall. Be sure to apply suitable IPS policies to rules governing the traffic traversing these LAN segments to prevent exploits, worms, and bots from spreading between LAN segments. In addition, don’t enable more login power than the user needs, this will reduce risk immediately.
  5. Automatically isolate infected systems. When an organisation encounters a cyber attack, it’s important that its IT security solution is able to quickly identify compromised systems and automatically isolate them until they can be cleaned up (either automatically or through manual intervention).
  6. Stay up to date. Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, internet browsers, Flash, and more. If an organisation stays up to date on patching, it’ll be far less vulnerable to potential exploits.
Editor's comments:
  • It is probably cheaper to implement the Sophos Intercept X Endpoint solution than to develop your own ransomeware protection framework based on multiple siloed solutions.
  • Often times, it is also cheaper to pay the ransom than trying to break the encryption; nonetheless, most SME companies I know would rather lose the data than paying.
  • Ransomware can also be isolated at the instance of detection, manually, if end users are properly trained with mitigation steps.
  • In many typical scenarios, end users may choose not to report ransomware incidents until the damage is beyond control.
  • In lieu to this, organizations, besides implementing proper ransomware protection framework, must also implement proper information transparency policy to force end users to declare incidents without prejudice.
  • Often times, Ransomware is premised on the psychology of shame and intimidation