The pandemic is finally subsiding in many parts of the world, bringing optimism for a vibrant, post-pandemic recovery that some say will be comparable to the Roaring Twenties period of the 1920s. Despite the brightening outlook, cyberattackers continue to take advantage of overwhelmed IT departments to mount brazen attacks on organizations across virtually every industry — with real-world impacts on critical infrastructure and supply chains.
This worrying trend is only expected to continue as organizations pursue a hybrid model of in-office work and working from home. IT leaders, from CIOs and CISOs downward, must maintain a high degree of readiness against cyberattacks as their colleagues combine returning to the office with “working from anywhere” using a patchwork of solutions such as corporate email, VPNs, and the cloud.
The crippling Colonial Pipeline cyberattack in May 2021 resulted in hoarding over fears of gasoline shortages on the East Coast of the United States, and a more recent attack on JBS in June 2021 resulted in a shutdown of meatpacking plants pushing beef-and-pork prices upwards in an already strained food supply chain. Days later, it was revealed that the Metropolitan Transportation Authority of New York City was breached by state-sponsored attackers with the possible motive of gaining an edge on lucrative public tenders. These high-profile attacks that are publicized represent only a fraction of the actual compromises that are happening as you read this article.
The proliferation of ransomware from as few as a single infected device is among the most common vectors of a successful cyberattack. Whether an organization ends up paying a ransom to the attackers or not, the business impacts of a cyberattack can include lost revenues and reputation damage, not to mention actual danger to public health and safety. Once a beleaguered company pays a ransom (usually in cryptocurrency) to regain control over their data and information systems, they become an easy mark for future attackers as the underlying vulnerabilities remain unresolved.
Needless to say, prevention is better than the cure, when it comes to avoiding ransomware attacks. Ransomware frequently spreads through file shares in an organization’s network after a victim clicks on a link in a phishing email. The link takes them to a fake website which tricks them into entering their credentials and/or downloading the malicious payload onto their computer.
While security awareness training can help, and is, in fact, required by many compliance programs, it should be combined with technological interventions such as two-factor authentication (2FA) to reduce the likelihood of security breaches.
A case study of YubiKeys at Google revealed that successful account takeovers were eliminated after it became mandatory for Google employees to use the hardware security keys to log on. Considering that the technical proficiency of a typical employee at Google is far higher than at a non-technology firm, IT leaders should consider that even technically sophisticated users can fall victim to a phishing scam in a moment of inattention.
The open source Nextcloud cloud storage solution, developed in Berlin, Germany along with global contributors, supports a series of defenses against ransomware spreading across your organization, even as your workforce encounters dangerous emails and hardware media (e.g. USB keys) on a day-to-day basis.
2-Factor Authentication – It supports the use of TOTP (authenticator app) and FIDO-based (hardware) authentication for two-factor authentication or passwordless login, delivering benefits similar to Google’s adoption of YubiKey discussed earlier.
Virus & Ransomware Scanning – Not many of the most popular cloud storage services support virus and ransomware scanning, but with the Virus Scanner and Ransomware Protection apps for Nextcloud, every file uploaded to Nextcloud can be scanned before being saved to storage.
The virus scanner utilizes open source ClamAV definitions, maintained by Cisco Talos, to detect other viruses and trojans. Additionally, the ransomware protection app prevents locked files from overwriting healthy data on the server by flagging unusual file names or extensions, and calculating the entropy of uploaded files.
Monitoring & Auditing – If a potentially infected file is detected, the user can notify an administrator for help, and the event is logged to the Nextcloud system logs, which can trigger an alert through the Syslog logging driver and a centralized logging service such as Graylog. Using the Monitoring and auditing app, file accesses and sharing can be logged in the same way.
External Shares – When internal users have to share confidential data with external parties, Nextcloud eliminates the insecure practice of sending email attachments, which can travel unencrypted between email servers. With Nextcloud, users can create a share to any Nextcloud federated account (between Nextcloud servers), or generate a secure drop link that supports uploading publicly, but only viewing the files internally.
Remote Wipe – If a company or BYOD asset (Android, iOS, or laptop) is lost or stolen, the Nextcloud account can be immediately locked out by an administrator, who also remotely wipes the data from the missing device. Once the employee is assigned with a replacement device, they can continue working by simply resyncing their data from Nextcloud.
Virtual Data Room – Nextcloud also supports integration with Collabora Online or OnlyOffice Document Server to create a virtual data room (VDR) with watermarking on office documents and PDFs based on user groups or tags, to discourage the unauthorized dissemination of confidential information.
LDAP Integration / Single-Sign-On (SSO) – If your organization currently uses a LDAP directory to manage user credentials, Nextcloud supports LDAP integration and automatically creating the corresponding account in its database where a user logs in with their existing organizational credentials. The responsiveness of LDAP lookups, particularly concerning LDAP groups, is one of the significant improvements of the Nextcloud 21 performance overhaul, resulting in faster single-sign-on.
Overall, Nextcloud provides a comprehensive solution for limiting the potential impact of a ransomware attack on your organization (by containing any infections before they can spread across the entire file server), and reducing the likelihood of a data breach by enforcing good security policies.
To maintain a security posture of defense-in-depth, we would recommend using Nextcloud in conjunction with other security products such as email scanning and endpoint protection. This gives you the best chance of catching potential attacks before they even have the chance of landing on a user’s device, with an additional line of defense enforced by Nextcloud.