Ransomware Risk Management Fundamentals

Looking across the Internet for new stories and new events in this holiday season I look at the fundamentals, thus found the NIST Cybersecurity framework profile:Ransomware Risk Management

Specifically the NIST.IR.8374 document

From this document I have  grabbed 3 basic items which everyone should be aware of

in the image as well as in text here:

  1. Educate employees on avoiding ransomware infections(phishing awareness)
    1.  Do not open files or links from unknown sources.
    2.  Avoid using personal websites and personal apps on work computers.
    3. Do not connect personally owned devices to work networks without approval
  2. Avoid having vulnerabilities in systems that ransomware can exploit (i.e. patching or updating)
    1. Keep relevant systems patched (or updated)
    2. Employ zero trust principles
    3. Allow installations and execution of authorized apps only
    4. Inform all about your expectations(including with 3rd parties/vendors)
  3. Backup  your data and test the restoration of the data.

 

I have been touting the ‘basics’ for a long time at my sites and book “Too Late You’re Hacked”