请遵循以下安全最佳实践，防止你的企业沦为勒索软件攻击的受害者。

许多网络管理员认为，勒索软件的主要浪潮已经平息，预计勒索软件攻击的数量将稳步减少。因此，他们放松了保护措施，转而执行更重要的任务。

然而，这种疏忽的态度导致一家韩国公司支付了100万美元的赎金，可能还有更多的受害者。如果你想避免这些麻烦，请了解如何保护你的网络免受勒索软件的侵害。至少，请确保按照本清单中的描述进行操作；经验表明，忽视基本安全措施常常导致最可怕的后果。

网络隔离。对不同的部门、虚拟机网络和服务器使用单独的子网。子网可以与网关连接以提高安全性。使用正确配置的网关，即使一台机器或一个子网受到感染，攻击者也很难感染网络的其他部分。广播受到子网大小的限制，不会发送到其他网段，从而减轻攻击（如ARP欺骗攻击）的影响。（译者注：ARP，Address Resolution Protocol，地址解析协议，是一个位于 TCP/IP协议栈中的网络层，负责将某个 IP地址解析成对应的 MAC地址。ARP欺骗攻击就是通过伪造IP地址和MAC地址实现ARP欺骗，能够在网络中产生大量的ARP通信流量使网络阻塞，攻击者只要持续不断的发出伪造的ARP响应包就能更改目标主机ARP缓存中的IP-MAC条目，造成网络中断或中间人攻击。）

访问限制策略。在可以避免的情况下，不要提供完整的访问权限。尽可能为用户帐户配置适当的非管理员权限。如果你有任何共享资源，请为不需要写入权限的用户和组提供只读访问权限。只允许在工作中有需要的用户访问服务器或网络。禁用未使用的服务。

网关配置。配置网关的NAT（网络地址转换）、防火墙和访问规则。关闭未使用的端口，特别是外部网络接口上的端口，只允许访问可信IP地址和网络。更改标准端口号可能会减少自动扫描的次数。例如，你可以将SSH（安全壳）协议使用的TCP端口22更改为任何其他空闲的TCP端口号。

使用端口转发从外部网络访问位于内部网络的主机上的服务。可以根据需要更改网关的外部网络接口上的端口号。例如，你可以将TCP 8082端口从网关经由NAT路由器转发到局域网中的主机的TCP 80端口（HTTP）。

为VPN用户单独分配帐户。

MAC/IP反欺骗保护。IPv4网络中存在一个基于ARP的漏洞，用于ARP欺骗攻击（也称为ARP中毒）。通过这种类型的攻击（例如中间人攻击），黑客可以拦截通过网络传输的敏感数据，或将你重定向到恶意站点并感染你的系统。

DNS（域名系统）欺骗也有可能发生。为了防止此类攻击，请在网关上为防火墙配置适当的数据包过滤规则。拒绝来自与发送接口不匹配的网络的数据包。使用支持加密的安全协议，如HSTS、HTTPS、SSL、TLS、SSH和IPsec。（译者注：HSTS全称是HTTP Strict Transport Security，是国际互联网工程组织[IETE]正在推行的一种新的web安全协议。HSTS的作用是强制客户端[如浏览器]使用HTTPS与服务器创建连接。HTTPS全称是Hyper Text Transfer Protocol over Secure Socket Layer，安全套接字层超文本传输协议，是以安全为目标的HTTP通道，简单讲是HTTP的安全版。HTTP协议[超文本传输协议]被用于在web浏览器和网站服务器之间传递信息。HTTP协议以明文方式发送内容，不提供任何方式的数据加密，如果攻击者截取了web浏览器和网站服务器之间的传输报文，就可以直接读懂其中的信息，因此HTTP协议不适合传输一些敏感信息，比如信用卡号、密码等。为了解决HTTP协议的这一缺陷，需要使用HTTPS协议。为了数据传输的安全，HTTPS在HTTP的基础上加入了SSL协议，SSL依靠证书来验证服务器的身份，并为浏览器和服务器之间的通信加密。）

在防火墙上配置NAT与代理服务器。在配置了NAT和防火墙的网关上配置代理服务器，以便为你的局域网安全地共享互联网连接。阻止已知是恶意的IP地址和网络。防止用户连接他们自己的调制解调器设备（例如电话）在你的局域网内访问互联网。

文件名伪造保护。攻击者可以伪造文件名，将恶意可执行文件伪装成无害的文件。常用的方法是使用诸如picture.jpg.exe或music.mp3.exe（用于Windows系统）等文件名。你可以配置文件夹选项并取消选中“查看”部分中的“隐藏已知文件类型的扩展名”复选框。你还可以在代理服务器上使用内容过滤器来禁止下载这些文件。

另一种扩展名伪造的方法是从右到左覆盖（RTLO或RLO），该方法使用用于改变Unicode文件名写入顺序的特殊双向控制字符。例如，伪造的文件名称显示为exe.monstrapt.pdf或axexe.txt，而原始名称是□fdp.yralpm.exe和ax□txt.exe。在这些例子中，方框代表RTLO字符。请注意文件名并在Windows中配置文件夹选项：视图->详细信息或查看->内容。请注意，垃圾邮件可能包含具有伪造文件名的附件。

反垃圾邮件和反恶意软件过滤器。在邮件服务器上启用和配置过滤器。如果你没有邮件服务器，请为你的电子邮件客户端安装反垃圾邮件过滤器。使用发件人策略框架（SPF）可以帮助你过滤伪造发件人姓名的电子邮件。

杀毒软件。基于特征的杀毒软件可以识别已知的勒索软件。但是，网络犯罪分子在发布恶意软件之前会进行测试，以确保杀毒软件无法检测到其感染。请查找既支持基于行为的检测又支持基于特征的检测的杀毒软件。

高强度口令和证书。使用至少包含八个字符的高强度口令，包括大小写字母、数字以及特殊符号。尽可能使用基于密钥的身份验证，并为VPN和SSH连接使用证书。

最重要的是，在防御中要主动，不能被动。

《Protecting the Network from Ransomware》

https://www.networkcomputing.com/network-security/protecting-network-ransomware/567521910

03/29/2018

6:30 AM

Michael Bose, VMware administrator, NAKIVO

Follow these security best practices to prevent your organization from falling victim to a ransomware attack.

Many network administrators believe that the main wave of ransomware has subsided and that we can expect a steady reduction in the number of attacks. Thus, they ease up on protection measures in favor of more important tasks.

This kind of negligent attitude, however, cost a South Korean company $1 million in ransom, and there are likely many more victims.  If you want to save your company this trouble, learn about ways to protect your network from ransomware. At the very least, make sure you do what’s described in this checklist; experience shows that overlooking basic security measures often leads to the most horrific consequences.

Network segmentation. Use separate subnets for different departments, virtual machine networks, and servers. Subnets can be connected with gateways to improve security. With properly configured gateways, even if one machine or subnet is compromised, infecting the rest of the network will be difficult. Broadcasts are limited by the size of the subnet and are not sent to other network segments, which mitigates the influence of attacks, such as ARP spoofing attacks.

Access restriction policies. Don’t provide full access in cases when you can avoid this. Configure user accounts with appropriate non-administrative permissions when possible. If you have any shared resources, provide read-only access to users and groups who don’t need write permissions. Allow access to servers or networks only for users that need them in their work. Disable services that are not used.

Gateway configuration for networks. Configure NAT, firewalls, and access rules for network gateways. Close unused ports, especially on external network interfaces, allowing access only for trusted IP addresses and networks. Changing standard port numbers may reduce the number of automatic scanning attempts. For example, you could change TCP port 22, which is used by SSH, to any another free TCP port number.

Use port forwarding for providing access from external networks to services on hosts located in internal networks. You can change the port number on the external network interface of a gateway as needed. For example, you could forward port TCP 8082 from the gateway to TCP 80 (HTTP) on a host located in the local area network behind the NAT.

Have separate accounts for VPN users.

MAC/IP anti-spoofing protection. There is a vulnerability based on ARP in IPv4 networks that is used for ARP-spoofing attacks (also known as ARP-poisoning). With attacks of this type, such as man-in-the-middle attacks, the malefactor can intercept sensitive data that is transmitted over the network or redirect you to a malicious site and infect your system.

DNS spoofing can also take place. In order to prevent attacks of this type, configure the appropriate packet filtering rules with firewalls on your gateway. Reject packets addressed from networks that don’t match the sending interface. Use secure protocols that support encryption, such as HSTS, HTTPS, SSL, TLS, SSH, and IPsec.

NAT and proxy servers with firewalls. Configure a proxy server on your gateway with Network Address Translation and firewalls to share the internet connection securely for your LAN. Block IP-addresses and networks known to be malicious. Prevent users from connecting their own modem devices, such as phones, for internet access inside your LAN.

Filename spoofing protection. Malefactors can spoof file names, allowing malicious executable files to masquerade as harmless ones. A common method is using names such as picture.jpg.exe or music.mp3.exe (for Windows systems). Configure the folder options and deselect the “Hide extensions for known file types” checkbox in the View section. You can also prohibit the downloading of such files with a content filter on your proxy server.

Another method of extension spoofing is Right-to-Left Override (RTLO or RLO), using special bidirectional control characters intended for changing the order of writing in Unicode file names. For example, the spoofed file names would show up as exe.mplary.pdf or axexe.txt while the original names are □fdp.yralpm.exe and ax□txt.exe. In these examples, the square signifies the RTLO character. Keep an eye on file names and configure your folder options in Windows: set View -> Details or View -> Content. Be aware that spam emails can contain files with spoofed names as attachments.

Anti-spam and anti-malware filters. Enable and configure filters on the mail server. If you don’t have a mail server, install an anti-spam filter for your email client. Using the Sender Policy Framework (SPF) can help you filter emails with spoofed sender names.

Antivirus. Signature-based antivirus can recognize known ransomware. However, cybercriminals test their malware before release to make sure that AV cannot detect the infection. Look for antivirus software that supports both behavior-based and signature-based detection

Strong passwords and certificates. Use strong passwords that contain at least eight characters including both upper and lower case letters, digits, as well as special symbols. Use key-based authentication with certificates for VPN and SSH connections when possible.

  附件：

《Protecting the Network from Ransomware》--原文.pdf

《Protecting the Network from Ransomware》--译文.pdf