![]() I was reflecting on the idea of using ZFS snapshots as a mitigation strategy for malware. "Pull" server (FreeNAS-2) to better fortify or harden it against these types of aggressive network threats? Are there changes that can be made to the replication target, i.e. (3) The above-described setup was taken from how the FreeNAS Documentation page describes how to set up snapshots and replication. (2) What about the FreeNAS-1 snapshots that were replicated to FreeNAS-2 into Tank2/Dataset2/Dataset1? Is there any way these cryptolocker/ransomware infections can encrypt the replicated data in Tank2/Dataset2/Dataset1? Can I simply "Rollback" the prior day's snapshot and be up and running again (minus any new data added within the last 24hrs)? Cryptolocker hits on a Wednesday, but I have a snapshot from the day before (Tuesday). (1) Will the local snapshots on FreeNAS-1 (Tank1/Dataset1) be "safe"? E.g. Workstation-A becomes compromised with Cryptolocker and starts encrypting all of it's local HDD's and all network drives and locations (including all of the CIFS shared data on FreeNAS-1 (Tank1/Dataset1). Second FreeNAS is FreeNAS-2 = Tank2/Dataset2.įreeNAS-1 takes daily snapshots which are stored locally and replicated to FreeNAS-2, into Tank2/Dataset2/Dataset1. Dataset1 is shared via CIFS and mapped to a drive letter in Windoze. ![]() Main dataset is on FreeNAS-1 = Tank1/Dataset1. ![]() I'm finally wading into snapshots and replication and was wondering what some best practices are to safeguard FreeNAS datasets against crypto-locker/ransomware type infections?įor example: someone has two FreeNAS Servers -> FreeNAS-1 & FreeNAS-2. Then as time permits, start implementing the SANS Top 20. If possible, configure WSUS and WDS (with standardized image of fresh windows install).Identify mission-critical computers and make sure that they are being backed up in a way that is not susceptible to network-based attacks.Install and configure EMET (if windows computers).Verify that automatic updates are configured (for OS and applications).Uninstall java or flash unless needed for business purposes.Take away local admin rights from regular users.My typical to-do list for cleaning up a small business includes the following: To that end, protecting your computers from cryptolocker / cryptowall is not much different than protecting them against any other form of malware infection. I suppose in theory, someone could compromise an internal webserver and make it serve cryptowall malware, but then you'd have much bigger fish to fry. It will very happily encrypt files on mapped network drives, but not use them as an attack vector. Click to expand.The primary attack vectors for cryptowall are drive-by installs (web browsing) and spam emails.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |