Strategies for protecting government agency files from ransomware

In the wake of ransomware attacks government agencies are under the constant threat.  Legacy remote access mechanisms such as VPN are no longer sufficient to protect files from encryption, theft, data leaks and ransomware.

Migrating files to cloud services as alternative is a complicated, challenging endeavor that may not be a viable option for governments with strict regulatory requirements and budget constraints.  VPN and Remote Desktop technologies are no longer sufficient to adequately protect governmental file shares if not properly managed.

In this article we review the various alternatives for connecting securely to file shares remotely while protecting them from ransomware.

 

VPN for File Remote Access

 

With more and more employees working remotely VPN Security is a huge concern. Government agencies have traditionally used virtual private network (VPN) technology to enable this remote connectivity, but security concerns are requiring companies to leverage new ways of enabling secure file share remote access by reviewing VPN Alternatives.  The news if rife with daily stories of companies subjected to ever increasing security risks.  For example, the Krebsonsecurity blog list numerous reports of ransomware shutting down governments and institutions.

The problem with utilizing VPN software to connect to work resources is that end users are creating an open tunnel between their home and corporate networks.  This method allows full remote access to the entire work network from outside the office, bypassing most firewall rules (the VPN connection is technically initiated from inside the work LAN).  In most cases, the entire internal government network is accessible to the remote worker, exposing all servers and desktops rather than just the resources needed.   This provides malware lateral access to numerous network ports across the network.

The US Cybersecurity & infrastructure Security Agency notes “Threat actors use SMB to propagate malware across organizations…Block all versions of SMB from being accessible externally to your network by blocking TCP port 445 with related protocols on User Datagram Protocol ports 137–138 and TCP port 139.”

In this scenario, any security vulnerability or malware present on the remote worker’s computer and network can infect the work network for the duration of the VPN connection. This includes ransomware. For example, if the remote PC is infected with malware or a virus, it can spread across the VPN to the corporate network and bypass work firewall protections.  In addition, if the remote PC is compromised, it could be used as a conduit directly into the office LAN where hackers can exploit security vulnerabilities to gain unauthorized systems access.

Implementing secure VPN remote access to files in today’s high risk environment is a complex and costly alternative to maintain and support.

Ideally VPN access should be eliminated in favor of zero trust technologies that provide only the access users need – and nothing more.

Cloud/Sync & Share Migration

 

Migrating organizations to Cloud based solutions as a way to secure files for remote access such SharePoint is a complicated, challenging endeavor.  Migrating file shares to cloud services involves months of planning to sort and identify data to move from a pool of file shares that can go back years, if not decades.  For example; To migrate files to SharePoint, Files must converted to remove characters not allowed in SharePoint (~ ” # % & * : < > ? / \ { | }.) and mapped to SharePoint libraries to stay within the SharePoint storage limits using specialized tools that must be purchased at an additional cost.

The internet is rife with stories of SharePoint and Cloud migrations gone awry when not executed with careful planning and due diligence. The process grows even more complicated when migrating organizations with highly sensitive data, such as government agencies, with a host of stringent compliance regulations to meet. Governments will need to budget for these hidden development and deployment costs when comparing SharePoint to other enterprise file sharing solutions. In addition, most agencies do not have the specialized skills to successfully execute a cloud based sync and share migration and will need to budget for a certified consulting provider to assist in the design and implementation.

For organizations with many terabytes of file shares who simply desire to move to the cloud it may make more sense to migrate them to AWS or Azure file shares where NTFS permissions and files names can be retained and where storage limits are not an issue.  Simply migrating files shares to the cloud will however not protect them from ransomware or data theft and loss.

 

Even if the government agencies file shares can be placed in cloud service that is locate in-country to meet storage location compliance regulation requirements what format are the files stored in? Are the files in a format that can be accessed even if the Internet is unavailable? What happens if the organization wishes to move their files out of a cloud based sync and share provider in the future?  If the files are stored in vendor’s proprietary format what will be the costs to export, migrate and convert them to a new vendor format or back to native NTFS file shares?  In the case of SharePoint and OneDrive all files are migrated into Microsoft SharePoint databases with their own set of permissions that cannot be easily exported back to their original NTFS format since all metadata is lost on import. Office files may also be altered so that all external links to other files are no longer valid once they are moved outside of SharePoint/OneDrive.

While tools exist to migrate files to the cloud, once migrated, all metadata is lost making it complex or impracticable to export files back to File Shares or other systems. Organizations will want to think carefully about the implications of moving files to cloud based proprietary platforms as they may find that if for any reason, they desire to move to another service the future costs of any migration file shares will far outweigh any short-term costs savings.

Remote Desktop/RDS

 

RDP is an additional alternative that government agencies use to provide remote access to systems and file shares.   According to the latest report by Coveware, nearly 50% of ransomware exploits were the result of security issues around Remote Desktop Services (RDS) infrastructure breaches.  The report found that in “Q1 2021, compromised remote desktop protocol connections regained the top position as the most common attack vector. “

RDP remains a frustratingly common vulnerability despite efforts to secure it with security best practices including:

 

Patching RDP Vulnerabilities

 

While RDP operates on an encrypted channel on servers, there is a vulnerability in the encryption method in earlier versions of RDP, making it a preferred gateway by hackers. Microsoft estimates nearly 1 million devices are currently vulnerable to remote desktop security risks. The company issued a legacy patch for its outdated platforms, including Windows XP, Windows Server 2008, Windows 2003, and Windows 2007. (For these legacy platforms, RDP is known as terminal services.)

Patching is an important way to enhance RDP security, however it must be performed consistently and timely to prevent ransomware zero-day exploits.

 

Blocking Access to Port 3389

 

Best-practice protocol to prevent exposure to RDP security issues starts with creating a policy to handle endpoints and making sure the port isn’t accessible to the internet. A proactive approach can help you focus on preventing initial access by minimizing RDP security risks.

Limit RDP Users

 

You can limit who can log in through RDP and who can add or remove a user account from the Remote Desktop Users group.

Use a Virtual Private Network before logging into RDP

 

When you use a Virtual Private Network (VPN) connection, you add an extra layer of RDP security to your system. The VPN ensures that before an RDP connection can be made to your servers, a connection must be made to the secure private network, which is encrypted and hosted outside of your internal systems. While VPN’s offer some improvement over direct access to RDS they do not protect file shares once users are allowed into internal networks themselves should a user open a phishing email and execute malware.

Use a Remote Desktop Gateway

 

An RDP/RDS gateway (in conjunction with a VPN) enhances control by removing all remote user access to your system and replacing it with a point-to-point remote desktop connection. Users’ login to a gateway first before connecting to any back-end services.  This gateway can be further enhanced to require Two Factor Authentication to further limit exposure and mitigate risks.

 

 

Limiting exposure using these methods can provide additional protections from file share ransomware attacks remotely but do not address file share access protections once the user is inside of the network.  Governments will want to implement additional lockdowns inside the network to limit SMB Access to TCP port 445 and lateral network access to prevent ransomware attacks from infecting file shares and systems internally.

 

Zero Trust File Share Access

According to Gartner, by 2023, 60% of Enterprises will phase out most of their remote access VPN solutions in favor of Zero Trust Network Access (ZTNA).  Security cannot be guaranteed by VPNs since open network ports can be compromised and exploited.  With VPN, hackers can get gain access to internal corporate networks where many Enterprises are vulnerable to ransomware encryption and other business ending catastrophic attacks.  What was slowly becoming a reality to adapt to the new Zero Trust landscape has dramatically increased since the pandemic hit – with remote workers creating a logistical nightmare for IT Departments around the world.  Network security and remote file share access is essential part of government as well as data integrity and governance.

 

As ZTNA becomes the gold standard in network security then what is needed to provide that level of security and create a sanctuary of file shares shielded from threats without breaking the bank and wasting precious time with data migrations to some other cloud based platform?

 

One example of Zero Trust for Secure Remote File Share Access is MyWorkDrive.  MyWorkDrive provide Zero Trust Secure remote access to files and file shares without having to use VPNs, migrating files to cloud services, or maintaining a complex Remote Desktop Infrastructure.

Governmental employees can access files and file shares remotely from anywhere, anytime.

Unlike Sync & Share, MyWorkDrive integrates exclusively and natively into an existing Windows File Share infrastructure without migrating files or vendor lock-in.

MyWorkDrive provides access over https with no remote access to internal network ports or servers.  Access methods include:

 

Web File Manager

Access your file shares remotely using any web browser with a Web Based File Manager.  The MyWorkDrive Web File Manager is the most elegant and user friendly in the industry loaded with the features users need with nothing to install.  Users can access, view, edit and collaborate on files with no devices to manage and no risk of exposing internal networks or file shares to ransomware using a secure  Web Browser session.

Mapped Network Drive

Connect to your files remotely using the MyWorkDrive Mapped Drive Client which allows users to securely map a drive to their work files from anywhere without Sync or VPN.   Optionally enable Two Factor Authentication and SAML/SSO for additional security and compliance.

MyWorkDrive also allows you to push out drive letters for each share – matching your in-house user experience.   Users simply login to your MyWorkDrive Web Site URL using their existing Active Directory credentials or SSO login.   All network mapped drives are displayed automatically.  With MyWorkDrive governmental staff can work safely from home with a mapped network drive experience without the support or security concerns of VPN or Remote Desktop.

Mapped Drive Client adds additional security and application-level protection controls that are not available with traditional mapped network drives over VPN.

 

  • Drive Letters pushed from Server that mirror mapped drive letters used in the office.
  • File Type Blocking
  • Two factor Authentication
  • SAML/Single-Sign-On.
  • Data Leak Prevention view of files with download/copy/print restrictions.
  • Granular Permissions.
  • Active Directory NTFS Permissions Secured by default.
  • Bulk File Upload Interface.
  • Open Office Documents online without local Office Apps installed.
  • Connects over https port 443 instead of SMB Port 445 which is typically blocked by ISP’s.
  • DLP Protected Mapped Network Drives

View and edit files online directly from the mapped drive client.

This feature eliminates training requirements for end users and the need to login from the Web Client by using a native view of files and folders in both Windows Explorer, while also adding DLP security features to protect sensitive data.

With MyWorkDrive, easily prevent downloads of files and folders while still displaying files and folders in a traditional mapped drive client interface.  View, or Edit files online while blocking download, clipboard, printing, upload or renaming of files.  Watermarks and user details displayed and logged on all viewed files.  Security and compliance of data is of the utmost important to both the Public and Private sectors.  Meets the new CMMC requirements as well as NIST, FedRamp, HIIPA, Fina, and GDPR.