Daily Maverick’s recent article on cyber attacks and cybercriminals has brought to light yet again the inefficiencies in IT departments and IT service providers in South Africa. The understanding of what ransomware is and what ransomware can do to the data is not known by most of the IT teams, and the implementation of firewalls, anti-viruses, and malware protection systems does not prevent these attacks or even secure the data in these attacks.
But how does it actually work? How does it get onto a computer in the first place? How does it transmit or send the signal to the attackers? And the most important question of all, how does one prevent this from happening?
“Ransomware is a form of malware that encrypts the victim’s data and files until a ransom is paid.” ~ DM.
Ransomware is simply an application that gets installed on a computer or server by one means or the other. One of the most common ones we have seen is an email with the subject “Please see Proof of Payment attached” and the attached file is an HTML file that mimics the looks of a PDF. Once opened the HTML file sends a signal back to the attackers saying the email has been opened and proceeds to install a small application. This gives the attackers remote access to the machine from anywhere in the world. They have complete control of your data and can see what you do on your machine.
To understand how to stop it one has to know where it will come from and what it will do. In most cases, it will not be stopped from getting installed on the computer, and most firewall setups are designed to stop external traffic coming in, not traffic going out thus the application’s ability to communicate out is not hindered.
Firewalls are like gates with guards (rules). Some gates have multiple guards, each needing to perform a specific task. Each has a specific thing to check for. If you are blocked by the first guard or the second one, but the third one allows you because you meet its conditions then you are free to enter. Now imagine having multiple gates and multiple guards that you have to manage. Imaging one of them is not trained or they accept to allow anyone in from anywhere. You can delete that rule or guard but you will not stop what already came in through the gates.
Preventing a rule from being overlooked is difficult and is often overlooked due to human error. Being attacked from the inside is even worse because a trusted domain computer has access to any other server or based on the policies. Having these multiple firewalls is often how these data breaches happen.
In the past and in some cases today MPLS (Multiprotocol Label Switching) setups were routing all traffic to one central point and only allowing them to connect from that location. This is usually costly and requires the fiber provider to do some internal routing to allow the connection to be established.
More recently it became easier to install a fiber line or to activate a 5G data card on a computer to access the information through a VPN. Still opening data to flow into the abyss of the internet keeping the gates open for ransomware threats.
A more effective technology called SD-WAN (Software-Defined Wide Area Network) can be used to mitigate these threats. SD-WAN was established somewhere in the early 2000s and has been defined and refined for years. Fusion Broadband, Cisco, Fortinet, and Meraki, to name a few, all sell SD-WAN solutions.
SD-WAN requires 2 nodes to work. An edge node, sitting at the customer premise or remote branch, and an aggregation unit located in the core of the network. The aggregation is your single point of entry into the network and can be load-balanced for redundancy and failover. The SD-WAN then uses the remote branch’s internet, this can be a 5G LTE device, ADSL, fiber, or all 3 to establish an encrypted tunnel between the edge and the aggregator in the core. This closes the actual public internet accessibility on-site and breaks out your internet in the core network.
This does not mean the network is now secure. A firewall of sorts on each site is still required. So what does the SD-WAN help then? Ok, remember the gates? Now think of a shopping mall, you have two, maybe three entrances. Then you have another few entrances into the actual shops. The main gates, created by the SD-WAN, now have a set of security guards that all went to the same school and training. They all get updates from one location, and the shops have their own security guards. But it is all contained in one building, no way to exit if the main doors are shut. Even if it was smuggled in by a delivery truck.
The SD-WAN from Fusion Broadband South Africa has a service called threat management gateway. This gateway (guard) controls the main entry and exit gates for the network. It also blocks IP’s from all known hacking and threat sources. This single point of entry can be easily maintained and the traffic that needs to flow on the network does not interfere in any other way. Paired with threat management they also add DNS Masking for faster more secure DNS resolution from the multitude of secure DNS providers.
Fusion Broadband also adds a sense of control to the network by adding traffic analytics at no extra charge. This gives real-time analytics into what traffic is currently running on the network.
ITried and Fusion Broadband South Africa partnered with the Top ISP’s in South Africa to provide aggregation in their core networks in main peering points in S.A. This provides fast and reliable internet breakout and maximum security at these aggregation points.
For more information, contact us at info@itried.co.za or visit https://itried.co.za/sdwan for more information.