The Current Issue: WannaCry Outbreak
The ‘Wanna Decryptor’ virus—potentially derived from the CryptoLocker malware—is delivered as a Trojan through a loaded hyperlink that can be accidentally opened by a victim through an email, advertisement on a webpage or a Dropbox link. Once activated, the program spreads through the computer and locks all files.
This malware modifies files in the /Windows and /windows/system32 directories and checks for other users on the network to infect. These actions require administrative privileges, which is why it’s dangerous for regular users to have administrative rights—opening backdoors and giving access of administrative shares to hackers.
Defensive Measures and Practices
The recent outbreak of Ransomware comes as no surprise to those of us in the IT Security industry. For the past year, the number of systems held hostage by this nasty malware has continued to increase at an alarming rate. Yet, many companies in the small and medium size business space (“SMB”) continue to resist implementing various measures to mitigate this looming risk. I say looming, because at this point, the proliferation of outbreaks coupled with the rapid mutation of underlying payload will likely hit your business at some point in time. Furthermore, typical desktop anti-virus will not be enough to detect or protect against the slight changes of this nasty code. So, what should your organization do to better defend itself?
There are several basic checkpoints or layers that every organization should have in place as part of their IT Security Plan. Most of this may be common sense, but you would be surprised at how many SMB’s (let’s categorize this company’s earning less than $250MM in gross revenues) may be deficient in this area:
- Monthly or Quarterly software patch window: this should include all types of operating systems (not just Microsoft Windows) and the underlying set of applications. Yes, patching can be a pain, but it could very well save your organization.
- Unified Threat Management or “UTM”: Perimeter and East|West deep packet inspection firewalls that have updated anti-virus, intrusion protection and web content filtering subscriptions. The subscription on these devices can help increase your organization’s’ ability to thwart and defend against known and unknown malware and viruses.
- Back-up: a solid backup appliance or software should be in place performing automated incremental backups that can be pushed off-site. In many cases, the ability to recover from a Ransomware attack is entirely dependent on back-up data sets and restoration. I would also add, this is probably a good time to check to see how the restoration process works and if your data is 100% usable. This may seem silly, but many SMB’s do not allot time for proper business continuity planning.
- Snap-Shots: volume snapshots are NOT backups. However, they can be very useful for fast restoration of virtual servers and|or file systems if infected or compromised.
- AV: or anti-virus solution for servers and desktops. Make sure your AV solution has some advanced scanning intelligence for malware and Trojans. Oftentimes, local users and email are the attack vector for ransomware type infections. Additionally, you should consider an email firewall solution (separate from UTM) to protect your email servers. Many of these devices have additional MX record redirection for offsite scanning prior to delivery email to your front door.
- Sandbox: this is newer technology that typically works in conjunction with your UTM appliance on the perimeter. The general idea is that a dedicated Sandbox appliance can catch zero-day attacks by intercepting and detonating threats before they hit your network.
There are certainly additional steps, some of which are more technical in nature, that all organizations should take to bolster IT Security measures. However, the big take away from this blog is the principle of security in layers – be aware of your attack surfaces.
TBNG Consulting utilizes various “best of breed technologies” to help our clients build layered defenses and solid data backup solutions. From local desktop software such as ESET, to perimeter and cloud protection solutions from Barracuda Networks and Fortinet, we can help you prepare for the next imminent threat.