Having just completed a phone call I am feeling helpless and a bit angry. Why because the call was from a friend and colleague whose company just had a ransomware attack. It was successful and they are faced with either paying the ransom, or facing a total disruption of their business model and taking a major hit to their corporate reputation as they slowly work their way out of the mess.
Why Helpless? Because the damage is done. If they had taken our courses on managing cyber exposures at the global risk academy (https://globalriskacademy.com/p/the-definitive-guide-to-cyber-exposure-management) they would have been prepared and hopefully avoided the attack.
Why Angry? Because I, and many others, have been trying to educate individuals and organizations on cyber exposures and the harm they can and are doing to organizations and how to manage them for years and have made minimal progress. It angers me because I see the nonchalance, dismissal of cyber exposure and categorization of cyber exposure as a technical issue to be dealt with by technicians occurring time and time again leaving organizations open to things such as the ransomware attack mentioned above. And all of this could, and should, be dealt with in a professional manner avoiding the cost and embarrassment of a successful cyber-attack.
Enough ranting. The following is a resend of some material I have distributed before. But given the current rash of ransomware attacks I thought it useful to resend. It is material I collected from various sources and personal experience, to provide guidance on what you could, and should, be doing to prevent, detect and respond to ransomware and other malicious software attacks. Hope you find it useful.
1. Scan your environment for cyber exposures
Don’t wait for an infection to be detected in your network. Before an intrusion occurs, you should to know whether you have cyber exposures that provide easy access to the predators. These vulnerabilities go beyond your critical infrastructure which you should scan to find and correct known vulnerabilities in your operating system(s) or applications that could make them susceptible to a ransomware attack, and take steps to remediate those vulnerabilities.
For the technical exposure you should, at the very least, run a vulnerability scan of your assets to identify vulnerabilities such as the CVE-2017-0144 Windows vulnerability. If vulnerabilities are found in your environment, take swift action to patch your systems, and then re-scan your environment.
The choice of a scanning system depends upon the specifics of your situation. The following list is meant to provide some examples and to give you a place to start.
AlienVault® Unified Security Management™ (USM™) delivers a built-in network vulnerability scanner to monitor your cloud, hybrid cloud, and on-premises critical infrastructure for vulnerabilities and configuration issues.
Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans on Windows desktops and servers, identifying any missing service packs, security patches, and common security misconfigurations. The 2.3 release adds support for Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012, while also supporting previous versions down to Windows XP.
The Open Vulnerability Assessment System (OpenVAS) is a free network security scanner platform, with most components licensed under the GNU General Public License (GNU GPL). The main component is available via several Linux packages or as a downloadable Virtual Appliance for testing/evaluation purposes. Though the scanner itself doesn’t work on Windows machines, they offer clients for Windows.
Retina CS Community provides vulnerability scanning and patching for Microsoft and common third-party applications, such as Adobe and Firefox, for up to 256 IPs free. Plus it supports vulnerabilities within mobile devices, web applications, virtualized applications, servers, and private clouds. It looks for network vulnerabilities, configuration issues, and missing patches.
Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local servers or machines. You initially access it via their web portal and then download their virtual machine software if running scans on your internal network.
But remember our advice and determine your non-technical cyber exposures as well. They might be your biggest exposure. Don’t know what they are? Then take our introductory course understanding cyber exposures at the Global Risk Academy (https://globalriskacademy.com/p/cyber-exposure).
2. Know what services and applications are running in your cyber eco-system.
The latest strain of Petya ransomware leverages flaws in Microsoft’s SMB v1 service, a service that may not be required or essential to organizations. For good cyber exposure security, you should maintain an up-to-date inventory that identifies all the services and applications and the equipment in your cyber eco-system, along with the responsible party. In doing so, you can do two things:
- Verify that the items in the inventory have all defaults changed and all updates applied.
- identify and disable any non-essential services (like SMB v1) that may expose you to an attack.
Remember the predators are constantly checking for vulnerabilities so you need to constantly check all possible entry and weak points.
3. Ensure that your critical systems and data are backed up and ready for restore.
If you don’t currently take regular backups, consider the latest Petya ransomware attack a warning shot. Every organization should have a reliable backup process that includes air-gapped or offline backups that are tested on a regular basis to make sure you can speedily restore your operation. If you do not do these simple tasks you may find yourself shopping for bitcoins, which in itself is no guarantee that you’ll be able to decrypt the files on a compromised system.
Remember that your back-ups need to include data, programs and support software. Why? Because, depending upon the attack, you may need to totally re-create your cyber environment.
Back-ups that are current and tested are not a luxury but a necessity in the age of ransomware.
4. Review & Monitor your cyber environment to detect threats and intrusions.
To prevent malware and ransomware attacks, it’s important to ensure that your malware prevention tools, including antivirus and firewalls, are configured properly and are up to date with the latest threat indicators. As a security measure against Petya ransomware, you might consider blocking ports 445 (SMB) and 139 (file and printer sharing) from any user or entity outside of your organization.
However, threat prevention is only one side of the coin. You should also monitor your environment continuously to look for intrusions and threats. There are several vendors who supply such monitoring software. A list can be found at the PCI Security Standards Council https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_ vendors?mode=list&page=2
Please, please remember to also monitor your environment for those vulnerabilities that arise when new IoT devices are installed or an employee gets a new intelligent device and can’t wait to use it at work. These are prime place for predators to make their intrusions. It is part of having a supportive cyber security culture in place in your organization. Don’t know what that means. A good first step is to use our cyber exposure awareness toolkit available at https://globalriskacademy.com/p/cyber-toolkit.
5. If an intrusion is detected in your environment, take swift action to isolate the infection.
During an attack, early detection and response are imperative to stopping the attack from spreading across your cyber eco-system. By isolating infected machines quickly, you stand a better chance at preventing a full system shutdown. The steps to mitigate any compromised system on your network are similar for most malicious software and ransomware threats.
- Isolate the system from your network, to prevent spread of the infection to other systems.
- Run forensics and anti-malware software on the infected device confirming that the anti-malware is running with its latest update. Depending on the severity of the compromise, this may require you attach the drives of the infected system as external disks, but this should be a last resort.
- Run additional forensics on your entire cyber eco-system to better understand the scope of the compromise. You can also search events gathered from across your network and any cloud environments and SaaS services (e.g. Office 365) using a log management tool like USM Anywhere.
- Report the ransomware incident to the respective authority. For example, US organizations should report any incident to the Internet Crime Compliance Center (IC3). https://www.ic3.gov/default.aspx
I hope this helps you and helps you avoid becoming prey to the cyber predators that inhabit cyberspace.
Comments