Managing The Risk

ransomwareransomblackmail

On 12th May 2017 a ransom ware attack hit many organisations around the world, some notably large ones such as the NHS and Telefonica, and their operations were hit severely. I pity the IT staff who would have had to work through the night and weekend to restore services.

It definitely could have been prevented or in the very least, reduced to a handful of devices rather than the majority. It appears that those running Windows XP, which went end of life in 2015, were particularly vulnerable as they no longer receive updates and patches. I do have to wonder why so many machines were hit when there are so many easy things a business can do to reduce risk.

Patch It

There’s a reason that vendors produce security updates and these days the delivery and installation is automated. Windows Server Update Services (WSUS) downloads the updates and deploys them from a central location on the network. Use it and take action on Critical and High Priority patches quickly. The bad guys are really good at exploiting vulnerabilities so the quicker you patch the quicker you’ve removed the vulnerability. Remember, it’s not just your Windows devices that need patching.  Everything including network equipment, switches and firewalls, etc need to be patched.

Make sure anti-virus, spam filters and web filters are updated regularly.

Look For Your Own Vulnerabilities

Use a tool such as Nessus to scan your network for vulnerabilities.  It will look for holes in your network, tell you where they are and suggest a way of securing the vulnerability.  It will even look for default passwords or misconfiguration. Run a regular scan and attack the vulnerabilities by priority with the Critical ones first.

Remove Legacy Systems If You Can

If you don’t need to run Windows XP then get rid of it and prevent it from happening.

What If You Can’t Get Rid of Legacy Systems?

There are a large amount of organisations that have legacy systems such as specific business software or manufacturing equipment that are dependent on old operating systems.  It’s either really costly to replace these systems or simply a replacement that works on a later operating system doesn’t exist. This is where you need to manage risk.

This requires you to really understand your IT estate, what you’re using on them and why you can’t move away from legacy operating systems.

Block the Internet

Viruses typically arrive via the internet. They’ll arrive by email or through a download on a webpage.  Usually they are dependent on the internet to perform their job so if you stop the old Windows XP systems reaching the internet the ransom ware can’t check in with the remote server.

Also, remove email from the Windows XP device and reduce it’s day to day usage to just that of the legacy system. Email can sit on newer devices.

Segregate The Network

Split the network up by using VLANs (virtual Local Area Network). This is a great way of controlling the flow of data across the network and prevent one part of it from talking to another.  For example, you don’t want the highest risk PC’s, such as those in the offices talking to the internet or email, having the ability to talk directly to the Windows XP computers that drive your very expensive manufacturing equipment.  Whilst it’s an inconvenience if your office employees can’t use the internet or email for a day or so, imagine the cost to a business if it can’t use its manufacturing equipment to make stuff.

Put all your servers on their own VLANs and stop the ability for them to talk directly to the internet. Create air gaps between key systems so that if a virus or a worm does infect your network they can’t jump across to legacy equipment as there’s no connectivity.

Lock Down Files

You should be doing this however lock down all your files to only those that need access to it.  You don’t want someone in your warehouse downloading ransom ware and then encrypting all your HR or Finance files because they can connect to them via a mapped drive.  The ransom ware takes the files and then changes the state of the file by encrypting it because the user that has introduced the virus has access.  No access then no ability to change the state.

Also, make sure that all key files are stored and backed up on a central server.  No data of any worth should be kept on a local PC. You need to be prepared to lose the data on the computer.

Take Regular Back Ups

I’m still amazed at how businesses do not invest wisely in back up technology.  Back up your data and ensure that access is restricted by a VLAN.  If an office worker can directly access your back ups on the network then the ransom ware worm they’ve just introduced on the network can as well.

Education, Education, Education

To quote a former Prime Minister…education is key.  Educate your users regularly on the risks to the business and how to spot a fake email and the opening of attachments.

Prepare For Infection

Resign yourself that you will be hit so prepare for the day.  Run through scenarios with staff and assign people to tasks that they will perform in the event of a disaster.

It’s Happened, I’ve Been Hit By Ransom Ware

Bugger. Don’t despair though as, if you’ve followed the good practices above then you’ve reduced the risk massively.  Only a small portion of your network has been infected and your legacy systems are happily ticking along.

Don’t pay the ransom and restore your workstations and data. Make it easier on yourself by using various technologies and methods such as virtualisation or online back ups. Make it quicker to restore desktop PC’s using images rather than reinstalling all over again.

Learn from it

If anything, this latest attack will sharpen the mind of board rooms to the issue of cyber security. This is a good thing as it’s not going away and has the ability to severely disrupt availability and integrity of data and more importantly, the reputation of a business.

Photo Credit: The Register

Advertisements

How Boobs and Curiosity Killed The Cat..and Your Pc

This article is how you can defend against viruses where the best and last line of defence is you.

Viruses are programs designed to alter the state of your data, either to make money or just ruin your day. They’ll delete, encrypt or spy on your data but I would say that you can stop around 99% of viruses by following some simple measures.

Don’t Be Stupid

Simple really. You receive an email about a subject that’s totally random to you and it has an attachment or web link then be careful. Apply these rules:

  • Is this an email from someone you know or have been communicating with?
  • Is the grammar or subject matter what you would expect from this person?
  • Is the email address correct? When you see an email and it looks like it’s from a name you recognise there are two parts to it. You’ll see the name and SMTP address, i.e. Joe Bloggs <joe.bloggs@notherealjon.com> . Emails get spoofed all the time so check the SMTP (joe.bloggs@) bit and see if it’s correct. Chances are it’s a random address created by a hacker.
  • Does the web link look correct? If you hover over the link but the hover shows a completely different web address then they are trying to trick you by making it look like a legitimate website.
  • If you’re a middle aged bloke with a beer gut and you’re being enticed by emails from the young nubile Emily who wants you to click on her web link to chat then don’t. She’s not really going to show you her boobs.

Don’t let curiosity get the better of you. Just delete the email and don’t open the attachment or click on the link. If you do then you’ll unleash hell onto your PC. If it’s a legitimate email then the person will chase it by another email or call you if it’s important.

To be safe, make sure that Macros in your Microsoft Office programs are turned off so that don’t work automatically. If you receive an attachment that asks you to enable Macros then it’s highly likely you’re about to say goodbye to your data.

Patch Those Holes

Viruses typically take advantage of vulnerabilities in your software. These weaknesses are patched regularly by the software vendors hence you see Windows Updates or Adobe updates. Don’t ignore them. They patch the holes to prevent the vulnerability being exploited. If a software requires an update (and this is not limited to Microsoft or Adobe) then update it.

Do The Obvious

It goes without saying but you really need to use anti virus software and don’t think that having a Mac you’ll escape. Hackers are quite happy to go after Apple fanboys as much as they are Windows. Sophos are one of the most trusted anti-virus vendors going and they do a free home network version for up to 10 devices. Well worth it if you don’t currently have software and the link is below.

Sophos Home

Lastly, remember about your back ups. Have at least one back that you don’t automatically access on a day to day basis. If you can easily navigate to it then so can the virus which, at that point, you’re stuffed.