Why did this occur?
Ransomware is big business, with payouts costing organisations over $1bn in 2016 – a figure that is sure to rise with the impact of WannaCry. However, the attack was able to spread so quickly because many enterprises had not patched or upgraded their systems and lacked effective cyber defence capabilities.
Microsoft had released a patch in early 2017 to address the Windows loophole the NSA discovered, but many organisations had not installed it. This is not uncommon and is usually due to the cost and complexity of upgrading or, in some cases, ignorance of the risks involved in not staying up-to-date with patches. The public sector is particularly vulnerable in this regard due to the sheer size of their IT estates and underinvestment in many cases.
In Britain, the NHS was particularly badly hit because it faces a constant funding conflict between allocating scarce resources to patient care and spending on IT systems. Consequently, many hospitals have been using a version of Windows that is no longer supported by Microsoft, leaving them wide open to attack.
In some cases, a Disaster Recovery solution could potentially offer a means to mitigate the impact of ransomware attacks – in the event of an attack, one could simply restore a 'clean' version from backup. But that is more complex than it sounds. It is possible that malware could have been in the system for some time, dormant before an activation signal. In those cases, it would make restoring very difficult as the malicious software could be present in backups.
Added to this, any backup and recovery solution is just one piece of the puzzle, together with risk mitigation and resilience planning as part of a wider cybersecurity solution.
Danger has not passed
WannaCry appears to have been halted, almost by accident. But there are likely to be other, more sophisticated ransomware attacks. We have already seen the next global ransomware outbreak – known as NotPetya, Petrwap or a variant of Petya – spread rapidly across the UK, Europe, Russia and India and it seems unlikely that will be the end of it. The danger has not passed.
This suggests that ransomware protection and other types of cyber security will become a greater concern for many C-Level executives, at least in the short term (although the cyberthreat will never go away).
What you can do about the ransomware threat
With any kind of cyberattack, cybercriminals will typically go for the easiest targets first, so efforts should focus on prevention. Possibly the most important step would be to implement a Defence in Depth approach to security in which you don't place your faith in any single technique or technology, but put multiple layers of both proactive and reactive security controls in place to eliminate information security vulnerabilities.
Here are some proactive measures all organisations should follow to guard against attack:
The first line of defence against infection
- Network edge ('perimeter') security to eliminate threats at the perimeter, the best location to eliminate the vast majority of attacks, with Managed Firewall Service, Managed Intrusion Prevention Services and Two Factor Authentication
- Operating system layer security such as Managed File Integrity Monitoring and Host-Based Intrusion Detection Services
- Update obsolete operating systems
- Patch management services for infrastructure devices within the data centre. This includes devices under Sungard AS management such as servers, network devices, security devices and some applications
- Conduct Information Security Assessments, Vulnerability Assessments and regular penetration testing to assess the effectiveness of your defences
- Adopt a virtual desktop environment for remote devices
- Implement specialist email filtering services to clean out malicious attachments and URLs
- Block users from installing unauthorised applications and ensure applications are managed centrally
- Disable macro scripts from office files transmitted over email
- Implement proxy internet access, mail relays and mail scrubbing to form a barrier between an internal network and the open internet. Proxy servers intercept requests for internet pages from users within the network and perform various chores to protect the network, improving performance and enforcing company web use policies
- Segregate networks with a Demilitarised Zone (DMZ) that separates your internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet
- Application layer security – Install robust firewalls including Web Application Firewalls and monitor these to ensure they stay current and able to withstand the latest threats
- Backup regularly and verify the integrity of those backups. Ensure they are not connected to the computers and networks they are backing up. Ideally, data should be held securely in a resilient, geographically separate location
The second line of defence – detecting infection
On an ongoing basis through Managed File Integrity Monitoring Services, SIEM, Managed Intrusion Detection Systems and Incident Response Services.
Third line – mitigate losses
Managed Backup and Recovery Services – Crisis-driven decisions worsen the impact so prepare for a potential incident in advance and put plans to the test. Remember to think beyond technology and address the people and process aspects of your plan. For example:
- Specify who is responsible for each step of the response, whether it's someone in-house or a third party
- If your business involves e-commerce, have a 'Plan B' in place to keep orders flowing
- Plan your communication strategy – who needs to be notified and when
While we have focused on technical security measures above, don't forget to educate your people who will otherwise become the weak links in the chain:
- Draw up an Information Security Policy and ensure it is rigorously adhered to
- Create an education programme for users explaining the risks posed by inadequate defences, the threats faced by organisations and their responsibility to prevent breaches
- Insist on strong password controls for users but, importantly, for System Admin too. No users should be assigned administrative access unless necessary and, for this reason, do not use the same Admin passwords on servers as for users, a common mistake. Escalation of privileges is one of the first steps to compromise a network so strictly limit access.
- Adhere to basic security doctrines such as allowing users to see only the information necessary to do their jobs.
If this sounds like a daunting list, remember our cybersecurity and resilience experts can help. Learn more about Information Security Management IT Consulting from Sungard Availability Services.