Lessons learned from WannaCry
May 22nd 2017
As the world is regrouping from the recent WannaCry / WannaCrypt Ransomware outbreak, we wanted to take a few moments to reflect on what we learned from the event, and share that knowledge so we can all be better protected going forward. While the origins of this attack were unique as it was based on an exploit developed by the NSA, the Wannacry outbreak confirmed two things. First, RansomWare is not going away. As business and government entities rely more and more on digital data, ransomware is an effective way to exploit that value. Second, the defenses against Ransomware remain the same as in past outbreaks of CryptoLocker, CryptoWall, etc.
Given this recent outbreak, we wanted to review those best practices below. This is by no means a complete list, but addressing the Top Five areas below will help you protect your personal and business data when the next round of RansomWare hits.
Establish a perimeter. A simple firewall on the perimeter of your network used to be considered adequate. However, today’s viruses are smarter than they used to be. Having an advanced security subscription on top of your firewall gives you the ability to protect your organization from the latest known threats and attacks by automatically updating the firewall’s configuration to block new threats as they develop. Since most ransomware requires reaching out to a malicious server for retrieval of the encryption key, preventing ransomware from “calling home” effectively blocks it in most cases. The SonicWall firewalls protecting Epsilon’s hosted customer sites were updated to protect against WannaCry in April—a month before the outbreak. For remote and teleworkers who are not always working behind a firewall, we also use Cisco Umbrella for all our support customers.
Stay current. Most software companies release updates on a regular basis to patch security vulnerabilities as they are discovered. Running and applying updates on a regular basis is important to provide the latest functionality, patch security holes where needed, and minimize overall system vulnerability. While Microsoft does a fantastic job in publishing security patches on a continual basis, many software and hardware providers have manual software and firmware updates. For this reason, devices such as switches, wireless access points, and firewalls are rarely updated and therefore are among the easiest devices to exploit externally. Because of this we review all client systems for updates monthly, and schedule regular touch points to ensure that those updates are being correctly applied to all devices.
Buy legitimate software. WannaCry hit hardest in locations in Russia and China that routinely use bootlegged copies Windows. Since these systems were not receiving the necessary updates, they were vulnerable to exploitation. Ensuring your systems are supported and legitimate ensures that you can get support from the OEM. Paying for licensing is never fun; but, in this case, it may cost more to not purchase authentic software.
Back things up. If you do get infected with ransomware, restoring systems from the last known backup is the only way to recover your files other than paying the ransom – in most cases. With WannaCry, the criminals included additional code to specifically delete the backup shadow copies to ensure that you had to pay the ransom to recover your files. Regardless, your backups are there for a reason. Ensure you leverage multiple methods of backup, each of those methods are redundant, you regularly test those backups to ensure their integrity, and avoid single points of failure wherever possible.
Scan for vulnerabilities. Industry standards and government regulations require regular security assessments and vulnerability scans to ensure threat exposure is minimized. We use a variety of tools to perform these scans for a broad variety of clients to ensure compliance with standards ranging from Risk Management Framework (RMF) for our DoD clients to HIPAA HITECH and PCI compliance for our Business customers.
The Wannacry Ransomware is notable for the speed of the outbreak and for its impact across the globe. However, at its core it is simply an incremental evolution in the continual advancement of the threat to our data every day and another reminder to adhere to the foundational best practices of IT security. This should include establishing a training plan/policy and conducting regular refresher training on threats such as phishing, spam/spyware, and social engineering. This will significantly reduce the likelihood of your business being exploited by a security risk in the first place.