What can we learn as a community from what Microsoft call the WannaCrypt ransomware worm with 200,000 victims in at least 150 countries according to the latest reports? Also known as WannaCry, WCry, Wana Decrypt0r and WanaCrypt0r, it has been headline news for the last three days.
In the UK alone, WannaCrypt is causing havoc in hospitals, reportedly spreading to a fifth of all national health organisations, delaying appointments and vital operations putting patient care at risk. There are many other high profile examples of companies with WannaCrypt infections around the world.
While I don't have direct experience with WannaCrypt, I have previously been involved in dealing with ransomware incidents. I have been following developments closely and wanted to contribute some thoughts with how this sort of outbreak can be minimised. Firstly, more specifically, here are Microsoft's posts about WannaCrypt:
Even if you haven't been hit with WannaCrypt, it's a great time to shore up your defences against cyber-attack.
Policy and Procedures
I am a firm believer in that security isn't a product or a feature you just buy off the shelf as such, it needs a solid foundation and that comes from your policies and procedures.
Here are the sorts of questions I'd be asking when looking at a company's competency with dealing with these types of threats:
- What is your cyber-attack policy? How is patch management handled at a business policy level? Is there top-level management buy-in?
- Does it map out the process from the infection entry point to clean up in the case of an outbreak?
- Who is ultimately responsible for security in an organisation (where does the buck stop?) and do they have the resources needed to properly defend against cyber-attack
- If end-users phone the service desk saying they can't access their files anymore and they are getting a message on their screen, is this a well prepared scripted response that minimises further infection?
- Are there contingencies in-place and are they in good shape? Are backups not only taken but regularly tested?
- Are staff and end-users well versed in cyber-skills and being able to recognise phishing and other telltale signs of potential malicious intrusion
- Do you adopt an assume breach stance where you expect to be hacked and don't wait for it to happen and react but build your systems knowing you will be hacked
IT systems
A few additional points that if not done help threats like WannaCrypt flourish:
- Retire out-of-date kit, any system not supported by the vendor or where there is elevated risk e.g. Windows Server 2003 and Windows XP being obvious examples
- If they have to be kept, isolate them and add defence in depth measures to mitigate with firm upgrade plans in place, don't let vendors (ISV's etc) stop you from updating!
- Have robust patch management system, make it a core competency, well-versed and map out fringe cases, rogue laptops, mobile devices, kiosks, POS terminals, digital signage machines anything really that is connected to the network and could pose a risk, as well as RDS servers and the like
- Disable legacy protocols and adopt best practices throughout
"This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support." (Microsoft's Brad Smith, President and Chief Legal Officer)
How well prepared is your organisation for the next WannaCrypt?
