By Michael Smith CEH, SSCP, CISSP
As I am sure you will be aware, on 12 May, organisations worldwide were hit by the WannaCry cyberattack, which crippled over 200,000 computers in more than 150 countries worldwide. Months later, the repercussions are still being felt. The global attack involves ransomware being installed on machines and encrypting them, with an average payment of around $675 in bitcoin demanded to decrypt the files.
E-mail is the number one delivery vehicle for ransomware, accounting for 31% of attacks
Highlighting the importance of security awareness training for employees, machines became infected after a computer on a network opened an infected attachment contained in a ‘phishing’ e-mail. This contained a worm that proceeded to encrypt the machine, as well as infecting other machines on the network. The encryption occurred too fast for security software to catch it in many cases. The attack caught many off guard, and highlighted the flaws in several enterprises’ technology estates.
The WannaCry worm, created using stolen National Security Agency (NSA) cyber-offensive tools, exploited a fault in Windows Operating Systems between Windows XP and all later Windows versions up to, but not including Windows 10. Although the fault was known to Microsoft, and a patch issued, many had not installed the patch.
Victims included the UK’s National Health Service (NHS), Russia’s Ministry of Interior, China government agencies, the Deutsche Bahn railway company, car manufacturers Nissan Motor Co. and Renault, PetroChina, logistics giant FedEx and other company and hospital computer systems in countries from Eastern Europe to the US and Asia. Russia and Ukraine appear to have had the heaviest concentration of infections.
The attack was finally halted in the UK when a 22-year-old cybersecurity researcher took control of an Internet domain that appears to have acted as a kill switch for the worm’s propagation. But there are concerns that the code will simply be rewritten, removing this initial flaw.
Why did this occur?
Ransomware is big business, with payouts costing organisations over $1bn in 2016 – a figure that is sure to rise this year with the impact of WannaCry. However, the attack was able to spread so quickly because many enterprises had not patched or upgraded their systems and lacked effective cyber defence capabilities.
Microsoft had released a patch in early 2017 to address the Windows loophole the NSA discovered, but many organisations had not installed it. This is not uncommon and is usually due to the cost and complexity of upgrading or, in some cases, ignorance of the risks involved in not staying up-to-date with patches. The public sector is particularly vulnerable in this regard due to the sheer size of their IT estates and underinvestment in many cases.
In Britain, the NHS was particularly badly hit because it faces a constant funding conflict between allocating scarce resources to patient care and spending on IT systems. Consequently, many hospitals have been using a version of Windows that is no longer supported by Microsoft, leaving them wide open to attack.
Many Sungard AS Managed Services clients subscribe to our patch management service and we advise them which upgrades they should install, but for those customers who contract only colocation services this is their responsibility alone. (Sungard AS would never make any changes to a customer’s equipment – such as installing patches - without an express instruction to do so as while this could fix one problem, it could cause a host of others).
In some cases, a Disaster Recovery solution could potentially offer a means to mitigate the impact of ransomware attacks - in the event of an attack, one could simply restore a ‘clean’ version from backup. But that is more complex than it sounds. It is possible that malware could have been in the system for some time, dormant before an activation signal. In those cases, it would make restoring very difficult as the malicious software could be present in backups.
Added to this, any backup and recovery solution is just one piece of the puzzle, together with risk mitigation and resilience planning as part of a wider cybersecurity solution.
Danger has not passed
WannaCry appears to have been halted, almost by accident. But there are likely to be other, more sophisticated ransomware attacks. We have already seen the next global ransomware outbreak – known as NotPetya, Petrwap or a variant of Petya – spread rapidly across the UK, Europe, Russia and India and it seems unlikely that will be the end of it. The danger has not passed.
This suggests that ransomware protection and other types of cyber security will become a greater concern for many C-Level executives, at least in the short term (although the cyberthreat will never go away).
What you can do about the ransomware threat
With any kind of cyberattack, cybercriminals will typically go for the easiest targets first so efforts should focus on prevention. Possibly the most important advice I can give is to implement a Defence in Depth approach to security in which you don’t place your faith in any single technique or technology, but put multiple layers of both proactive and reactive security controls in place to eliminate information security vulnerabilities.
So here are some proactive measures all organisations should follow to guard against attack:
The first line of defence against infection
- Network edge (‘perimeter’) security to eliminate threats at the perimeter, the best location to eliminate the vast majority of attacks, with Managed Firewall Service, Managed Intrusion Prevention Services and Two Factor Authentication.
- Operating system layer security such as Managed File Integrity Monitoring and Host-Based Intrusion Detection Services.
- Update obsolete operating systems
- Patch management services for infrastructure devices within the data centre. This includes devices under Sungard AS management such as servers, network devices, security devices and some applications.
- Conduct Information Security Assessments, Vulnerability Assessments and regular penetration testing to assess the effectiveness of your defences.
- Adopt a virtual desktop environment for remote devices
- Implement specialist email filtering services to clean out malicious attachments and URLs
- Block users from installing unauthorised applications and ensure applications are managed centrally
- Disable macro scripts from office files transmitted over email
- Implement proxy internet access, mail relays and mail scrubbing to form a barrier between an internal network and the open internet. Proxy servers intercept requests for internet pages from users within the network and perform various chores to protect the network, improving performance and enforcing company web use policies.
- Segregate networks through the use of a Demilitarised Zone (DMZ) that separates your internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the internet but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.
- Application layer security - Install robust firewalls including Web Application Firewalls and monitor these to ensure they stay current and able to withstand the latest threats
- Backup regularly and verify the integrity of those backups. Ensure they are not connected to the computers and networks they are backing up. Ideally, data should be held securely in a resilient, geographically separate location.
The second line of defence – detecting infection
- On an ongoing basis through Managed File Integrity Monitoring Services, SIEM, Managed Intrusion Detection Systems and Incident Response Services.
Third line – mitigate losses
Managed Backup and Recovery Services - Crisis-driven decisions worsen the impact so prepare for a potential incident in advance and put plans to the test. Remember to think beyond technology and address the people and process aspects of your plan. For example:
- Specify who is responsible for each step of the response, whether it’s someone in-house or a third party.
- If your business involves e-commerce, have a ‘Plan B’ in place to keep orders flowing.
- Plan your communication strategy – who needs to be notified and when.
While we have focused on technical security measures above, don’t forget to educate your people who will otherwise become the weak links in the chain:
- Draw up an Information Security Policy and ensure it is rigorously adhered to
- Create an education programme for users explaining the risks posed by inadequate defences, the threats faced by organisations and their responsibility to prevent breaches
- Insist on strong password controls for users but, importantly, for System Admin too. No users should be assigned administrative access unless absolutely necessary and, for this reason, do not use the same Admin passwords on servers as for users, a common mistake. Escalation of privileges is one of the first steps to compromise a network so strictly limit access.
- Adhere to basic security doctrines such as allowing users to see only the information necessary to do their jobs.
If this sounds like a daunting To Do list, remember Sungard Availability Services’ cybersecurity and resilience experts can help.