10 Critical Steps to Survive a Ransomware Attack, Step 6: Restrict Access to File Shares (aka “Silo Your Data”)
Most small firms we work with have a single file repository on their network, and every staff member has full access to it, and all of its contents. This means that anyone, from the CEO all the way down to an intern, has the ability to inadvertently encrypt every document on the server. Compartmentalizing data into silos where people have the least privileges required to do their job is the key to keeping a virus outbreak from running rampant through the entire organization. This is another example of the principle of least privilege – whereby you achieve security by limiting the amount of power you have.
Let’s look at some examples. Most small enterprises start with a single server on which to house all of their data. This will usually be a shared folder on a server called something like “Company,” “Shared,” or “Files.” These folders are then shared to everyone in the organization (and sometimes, anyone at all who manages to connect to the network). Within this main folder, we’ll often see several folders like “Clients,” “Projects,” “Procedures,” “Contracts,” “Quotes,” etc. Or we’ll see folders for specific departments like “Payables,” “HR”, and “Accounting.”Sometimes we find folders for individual users here, such as “Alice,” “Bob,” and “Charles.” Often the only thing preventing inappropriate access from occurring is the honor system, and given the number of times we find documents in the wrong locations (because users were poorly trained and didn’t know where to properly file them), this is anything but a reliable means to secure your company’s data!
To properly have your data secured, you need to first be able to classify your data files and who should have access to it. This does not have to be complicated! If you have a bunch of accounting documents, then only the accounting staff (a group that you’ve defined) should have access to them, and if you have a bunch of sensitive R&D information, make sure the only R&D group has access, etc.
Start by taking an inventory of your company data, then look at your team. Divide them all up into logical groups, then assign permissions based on their role, not because “they think they may need this someday” or they want access. For some reason, this makes perfect sense with financial information – unless your firm practices open book accounting, you probably don’t give every employee access to all of your sensitive financial information. The same should be true for all data in your enterprise unless you have determined that it is for public consumption, or for use throughout your organization.
You’ll probably have to work with your IT provider to make this happen, but at least you can start by identifying the various share points on your network (often appearing as drive letters) and identifying what roles (not individual people) need access to them (and which ones don’t). This will also be useful for you to explain why you need this to be done, as some IT shops take the view of “if it ain’t broke, don’t fix it.” That’s like not changing the oil in your car because “it’s working just fine now!”
Peter Nikolaidis is an information security professional based in Cambridge, MA. He holds several information security certifications, including the CISSP. In his spare time, he enjoys practicing martial arts and yoga, mountain biking, and thinking about ways to protect the innocent… often from themselves. Connect with Peter on LinkedIn.