WannaCry, the ransomware that recently swept the world and brought down computer systems in more than 100 countries, can be viewed as many things: an attempt to extort money from individuals and businesses whose data was taken hostage; an atrocity that put human life at risk in the case of compromised medical systems and medical devices; and a focal point in discussions on responsible disclosure, to name just a few.
But boiled down, WannaCry should be universally viewed as one thing: a wake-up call.
Estimates suggest that ransomware made cybercriminals approximately $1 billion in 2016. Clearly, cybercrime is here to stay. Attacks like WannaCry are only going to increase in frequency and severity unless companies and individuals begin to proactively take actions and work toward improving the security of the information systems they maintain.
The reality is that Friday, May 12, was entirely preventable and should not have happened with such ease. WannaCry illustrated that many companies the world over did not even take basic security precautions, as a patch was released for the vulnerability exploited by the WannaCry ransomware two months prior. Even for corporations that require rigorous testing of patches, two months should be more than enough time to have tested, approved of and deployed the patch. Failing even the most basic security precautions is one lesson that organizations seem to repeatedly fail to learn. The Mirai botnet, for example, recently illustrated a similar disregard for security in that it was able to amass enough nodes to launch some of the biggest distributed-denial-of-service attacks in history using a list of just 62 default usernames and passwords. It’s a lesson that also should have been learned almost a decade ago with the Conficker worm that infected millions of computers in more than 190 countries.
Organizations need to learn that cyber risks present a tangible risk to their business and that information security cannot be effectively done reactively: Information security needs to be approached by organizations holistically and proactively to help organizations prevent, mitigate and respond to cyber incidents as attempts to compromise your organization, and its information systems are an eventuality that your organization will face. The key to withstanding such malware attacks is to take a defense-in-depth approach to hardening your organization against malware.
Let's consider a typical malware outbreak scenario: A spearphishing email goes to a handful of employees at an organization, and one of the employees clicks on a link in the email. The link goes to a web page that contains a drive-by exploit, which compromises the computer of the employee who clicked the link. From there, the compromised computer can be used as a staging ground to target other systems within the organization. Now systems throughout the organization are compromised for attackers to use for their own malicious ends. If we look at a scenario such as this and think about possible kill chains, it becomes readily apparent there are many places that an attack such as this could have been stopped.
Did the organization make use of spam filters, Sender Policy Framework, or require DomainKeys Identified Mail to help prevent the phishing email from getting through? Was any kind of awareness training done to prevent the employee from clicking the link? Was a web filtering appliance (proxy server) in place to filter traffic to an unknown site or an intrusion prevention system present to detect and prevent the exploit attempt? Was the employee’s PC fully patched, running AV and software restriction policies or other security controls? Was there an internal intrusion detection system, network segmentation or other security controls in place to detect and prevent the spread of the malware from the compromised PC to other systems? Does the organization have the proper incident-handling and backup procedures in place to recover the compromised systems?
These are all questions that organizations should be asking themselves and hopefully coming back with "yes" on more than few. A layered approach to security needs to be considered in order for security to approach any level of real efficacy.
To help organizations develop a layered approach to combating ransomware and other malware, organizations are encouraged to consider utilizing the Anti-Ransomware Guide put forth by the Open Web Application Security Project. The current version of the guide consists of 45 controls designed to help organizations deal with the prevention of ransomware attacks, the mitigation of in-progress attacks and the successful recovery of such attacks. Moreover, the guide encourages organizations to not just implement the suggested controls but to run mock malware incidents to test the efficacy of in-place controls, as well as the efficiency of employees in responding to an incident.
Malware and cybercrime are realities that are here to stay: Wake up and prepare.
photo credit: Lady Pain (Marta Manso) Windup Clock... ¡¡¡ RIIIIIIIIIIIIIIIIIIIIIIING !!! via photopin (license)
If you want to comment on this post, you need to login.