Blog

I created these steps, collected from various sources and personal experience, to provide you with guidance on what you should be doing to prevent, detect and respond to ransomware and other malicious software attacks. Hope you find it useful. If you would like more information I suggest you take our course on managing cyber exposures at the Global Risk Academy http://globalriskacademy.com/p/the-definitive-guide-to-cyber-exposure-management

These five steps are a good beginning.

1. Scan your environment for cyber exposures

Don’t wait for an infection to be detected in your network. Before an intrusion occurs, you should to know whether you have cyber exposures that provide easy access to the predators. These vulnerabilities go beyond your critical infrastructure which you should scan to find and correct known vulnerabilities in the your operating system(s) or applications that could make them susceptible to a ransomware attack, and take steps to remediate those vulnerabilities.

For the technical exposure you should, at the very least, run a vulnerability scan of your assets to identify the CVE-2017-0144 Windows vulnerability. If vulnerabilities are found in your environment, take swift action to patch your systems, and then re-scan yourenvironment..

But remember our advice and determine your non=technical cyber exposures as well. Don’t know what they are? Then take our courses on managing cyber exposures at the Global Risk Academy mentioned above.

2. Know what services and applications are running in your cyber eco-system.

The latest strain of Petya ransomware leverages flaws in Microsoft’s SMB v1 service, a service that may not be required or essential to organizations. For good cyber exposure security, you should maintain an up-to-date inventory that identifies all the services and applications and the equipment in your cyber eco-system, along with the responsible party. In doing so, you can do two things:

1. Verify that the items in the inventory have all defaults changed and all updates applied.
2. identify and disable any non-essential services (like SMB v1) that may expose you to an attack.

Remember the predators are constantly checking for vulnerabilities so you need to constantly check all possible entry and weak points.

3. Ensure that your critical systems and data are backed up and ready for restore.

If you don’t currently take regular backups, consider the latest Petya ransomware attack a warning shot. Every organization should have a reliable backup process that includes air-gapped or offline backups that are tested on a regular basis to make sure you can speedily restore your operation. If you do not do these simple tasks you may find yourself shopping for bitcoins, which in itself is no guarantee that you’ll be able to decrypt the files on a compromised system.

Back ups that are current and tested are not a luxury but a necessity in the age of ransomware.

4.  Review & Monitor your cyber environment to detect threats and intrusions.

To prevent malware and ransomware attacks, it’s important to ensure that your malware prevention tools, including antivirus and firewalls, are configured properly and are up to date with the latest threat indicators. As a security measure against Petya ransomware, you might consider blocking ports 445 (SMB) and 139 (file and printer sharing) from any user or entity outside of your organization.

However, threat prevention is only one side of the coin. You should also monitor your environment continuously to look for intrusions and threats. There are several vendors who supply such monitoring software. A list can be found at the PCI Security Standards Council https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors?mode=list&page=2

Please, please remember to also monitor your environment for those vulnerabilities that arise when new IoT devices are installed or an employee gets a new intelligent device and can’t wait to use it at work. These are prime place for predators to make their intrusions.

5. If an intrusion is detected in your environment, take swift action to isolate the infection.

During an attack, early detection and response are imperative to stopping the attack from spreading across your cyber eco-system. By isolating infected machines quickly, you stand a better chance at preventing a full system shutdown. The steps to mitigate any compromised system on your network are similar for most malicious software and ransomware threats.

• Isolate the system from your network, to prevent spread of the infection to other systems.
• Run forensics and anti-malware software on the infected device confirming that the anti-malware is running with its latest update. Depending on the severity of the compromise, this may require you attach the drives of the infected system as external disks, but this should be a last resort.
• Run additional forensics on your entire cyber eco-system to better understand the scope of the compromise. You can also search events gathered from across your network and any cloud environments and SaaS services (e.g. Office 365) using a log management tool like USM Anywhere.
• Report the ransomware incident to the respective authority. For example, US organizations should report any incident to the Internet Crime Compliance Center (IC3).

___________________________________________________________________

Here are your options again for studying cyber security and exposures in Global Risk Academy:

Option 1. Understanding Cyber Exposures - For Beginners

Option 2. Advanced Cyber Exposure Management

– Part 1 - Identifying Cyber Exposures 
– Part 2 – Cyber Exposure Program Management

Option 3. A Bundle of all 3 courses - 35% off the original price

(most cost effective option)

Attention: for readers of this blog only: Use coupon code BLOG10 during the checkout to get 10% off the price of the courses.