It’s important to realise that vulnerable systems are often those on which we rely most.
Since its discovery last week, the WannaCry ransomware attack has continued to spread, hitting over 10,000 organisations and 200,000 individuals in over 150 countries.
Although steps have been taken to slow the spread of this malware, new variations are surfacing.
Jonathan Care, research director at Gartner, outlines steps cybersecurity professionals must take immediately.
First and foremost, apply Microsoft's MS17-010 patch. If you don't have it, and you have TCP port 445 open, your system will be hit by ransomware, he states.
Then take the following steps to guard your organisation against future attacks of this nature:
Stop blaming
While it’s tempting to point the finger at others, one of the key stages of incident response involves focusing on root causes. Microsoft Windows XP, an OS that has been hit hard by WannaCry, can be embedded into key systems as part of control packages. This means that vulnerable firmware may be neither accessible nor under your control. Where you have embedded systems — such as point-of-sale terminals, medical imaging equipment, telecom systems, and even industrial output systems such as smart card personalization and document production equipment — ensure your vendor can provide an upgrade path as a priority.
Do this even if you use other embedded OSs, such as Linux or other Unix variants, as it's safe to assume that all complex software is vulnerable to malware.
Isolate vulnerable systems
There will be systems that, although not yet affected by malware, are still vulnerable. It’s important to realise that vulnerable systems are often those on which we rely most. A useful temporary fix is to limit network connectivity — identify which services you can turn off, especially vulnerable services like network file sharing.
Stay vigilant
Gartner’s adaptive security architecture emphasises the need for detection, he states. Ensure your malware detection is updated. Check that your intrusion detection systems are operating and examining traffic. Ensure that user and entity behavior analytics (UEBA), network traffic analysis (NTA) and security information and event management (SIEM) systems are flagging unusual behavior, that such issues are being triaged, and that incident handlers are responsive. Bear in mind that additional resources may be required to handle the volume of incidents, liaise with law enforcement agencies, and field questions from the public (and possibly the media). Keep technical staff focused on resolving key issues and let someone else answer external questions.
After the crisis, there will be time to learn lessons, says Care.
At that point, he says organisations should review vulnerability management plans; re-examine approaches to not just protective measures but also key detection capabilities, such as UEBA, NTA and advanced SIEM; perform additional threat modeling; and consider carefully what risks are tolerable. It's also important to assess your cloud security.
Paying ransoms funds the development of nascent malware and ransomware
But if ransomware infection occurs, do not pay the ransom, advises James Scott, senior fellow, Institute for Critical Infrastructure Technology.
There are limited chances of the attacker actually unlocking the system, he says in a blog post.
Some ransomware, such as the WannaCry ransomware, do not even contain decryption mechanisms or technical procedures to identify which victim has paid the ransom, he adds.
As well, paying ransoms encourages attackers to broaden their campaigns and it inspires new threat actors to launch additional attacks because the campaigns are seen as profitable.
“Paying ransoms funds the development of nascent malware and ransomware, it increases the likelihood that others will be victimised by ransomware by encouraging new campaigns, and it may even fund terrorism, cybercriminal attacks, or adversarial nation-state efforts.”
He advises contacting the proper authorities and personnel, and restoring the system from the latest external backup.
Underinvestment in basic cybersecurity is a massive false economy
From ISACA comes the following advice:
Organisations cannot afford to be out of touch with basic cybersecurity requirements, says Raef Meeuwisse, director of @Cyber Simplicity.
It is reported that many of the impacted systems were running operating systems that were no longer supported by their manufacturer, but were still connected to networks and managing email with no compensating controls, he says.
Underinvestment in basic cybersecurity is a massive false economy, he says.
“There is a danger that if budgets are looked at in silos, it can appear cheaper to leave vulnerable technologies in place without considering the huge cost impact of the operational interruption.”
He says some newer forms of anti-malware can also run on top of or alongside older anti-virus solutions, and identify and block over 99 percent of malware, including polymorphic forms they have never seen.
They do this by using a basic form of artificial intelligence and machine learning. They can even be configured to completely block powershell scripts for desktop environments, he states.
Send news tips and comments to divina_paredes@idg.co.nz
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.