Securezoo Articles
Article Topics   
By Frank Crast, 6/30/2017

On Friday, May 12, the now infamous WannaCry ransomware burst onto the worldwide scene on its way to infecting over 200,000 systems and 150 countries in just 3 days. NHS hospitals in the UK operations ground to a halt. Petya malware followed suit this week by targeting and ransacking systems in Ukraine, Russia, and Europe before spreading to other countries. 


Unlucky victims exposed to such attacks could have been prevented.

Attacks such as these seem so sophisticated and impossible to stop. The headlines report how WannaCry and Petya were developed from leaked hacker tools and exploit code, such as Eternal Blue, stolen from the arsenal of the National Security Agency (NSA).  Hackers then launch ominous attacks on unsuspecting victims, using the ransomware to encrypt files on systems making them paper weights until the victims agree to pay a ransom.

Rinse and repeat.

It is no surprise that history continues to repeat itself in the world of Cyber Security. Most of these exploits could have easily been prevented if organizations of all sizes would place higher urgency and priority on basic security hygiene and keeping their technology up to date.

What lessons have we learned?

A number of the highest priority safeguards are emphasized here. 

Update and patch your systems religiously

The critical Microsoft patch (MS17-010) was issued in March 14, 2017 to fix a known SMB or file sharing protocol bug, nearly two months before the WannaCry outbreak. This past week, pro-ISIS hackers defaced a number of government websites by exploiting a DNN content management system vulnerability that was patched over a year ago.

By just spending a few minutes a day checking the internet for vendor software updates (or reading your email if you’ve signed up for alerts), you can easily spot new threats and fixes needed in a timely manner. Use this activity as reminder to patch your systems as soon as updates are available.

We have made it even easier with our Securezoo Cybersecurity Threat Center, a free resource for small businesses or those professionals who don’t have the time to keep up on the vendor updates and new daily vulnerabilities, threats and data breaches (that can be helpful for lessons learned to prevent similar fate in the future). Feel free to bookmark and just spend a minute or two reviewing as part of your daily routine.

Retire legacy OS and systems

Still running Windows XP, Server 2003, or other legacy operating systems (OS)? It goes without saying you should have retired these older platforms a long time ago as Microsoft dropped support for them and no longer provides patches. Legacy unpatched systems are easy targets for hackers. With that said, Microsoft did buck the trend recently, given WannaCry got so bad, by providing a “one time” patch to fix XP systems. However, don’t count on Microsoft or other vendors to be so generous in the future.

Did you know that Windows 7 PCs were a much higher vector of attack used to spread WannaCry? Although legacy OS continue to be targeted, there are a much higher number of Win7 systems and attack targets. If you are still running Win7 in your business, why not upgrade to Windows 10 and take advantage of automatic updates to ensure patches are applied by your system as soon as they come out?  

If you can afford it, move off of older, unsupported workstation or server hardware as well. This will help improve your systems availability and also make it easier to support future OS upgrades to keep your systems current.

Train your staff on the cyber dangers

You should have conversations with your staff on the dangers to your business from such cyber attacks, like WannaCry and Petya. The more real world examples you can share, the more relevant you can make it to your business on how to prepare for and prevent the next attack. For example, if you’re in the healthcare business, make note of recent NHS hospital ransomware attacks. If you work in the education sector, review similar stories such as the major UK university ransomware attack. Likewise, if you're in the energy business, take note of recent Industroyer attacks.

Remind your employees not to click on links or open attachments from untrusted sources from outside the company. Such “phishing” messages could contain malware or bogus links used to trick your users into visiting fake websites designed to steal your credentials or download malware to your systems.

Be aware that it’s not just malware that cyber criminals are after either. For example, if you’re in the business of transferring money to other institutions (such as banks and real estate entities), be wary of business email compromise (BEC) attacks. If you receive a request via email to wire funds from your attorney or other trusted person, pick up the phone and talk to the requestor. 

Also, understand malicious hackers love to use social engineering tricks in the tone of their emails, such as using a sense of urgency, excitement or fear to trick your employees into opening up attachments in email.

Don’t fall for the scams.

“Least privilege

Make sure your employees are not logged into their systems with administrator accounts with full system privileges. Each user should have a standard login account with minimal privileges, such as that required to do their jobs (e.g., reading email, running company and Office applications, etc.) and no more. This is also referred to as “least privilege.”

If you need new applications installed or system configuration changes, have your IT admin(s) or trusted staff login and make the changes. Use admin accounts only when they are needed.

To reduce dependency on admin accounts, you may either update your systems automatically (such as how Windows 10 update works) or deploy patches via a centralized patch management system. If you can’t afford management systems, ensure your trusted admin or manager performs the updates when patches are needed on a regular basis. Don’t forget about third party app patches as well, such as Java, Adobe and the like!

Remember that often times malware like WannaCry or Petya is designed to exploit local or remote vulnerabilities by using the same privileges as the user logged in. By implementing a "least privilege” model, you reduce the attack surface and make it harder for hackers to compromise your systems.

Backup your data and have a recovery plan

As stated previously, ransomware is most effective after it strikes victims with no data backups. If your files are critical to your business, are encrypted and you can’t access them, you may end up between a rock and a hard place. Do you pay the ransom or potentially suffer irreversible harm such as go out of business?

For local systems, ensure you have scheduled routine to backup your data to external tape, USB drive or other offline storage in the event of disaster such as ransomware, fire or natural disaster.

Have multiple backups too. If you use tape or another removable media to backup data in your office, take backups offsite to secure location periodically as well. A fire or theft won’t help you to recover from local backup stores.

Cloud backup solutions are also a good solution for backups for small businesses, but don’t completely rely just on cloud backups in the event of disaster. Call me paranoid when it comes to security, but I would still recommend you have offline backups in the event your cloud account gets compromised and/or data gets wiped by accident or by hackers. Yes, employees make mistakes too.   

To mitigate unauthorized access threats to your cloud resources, you should protect your cloud accounts with two factor authentication (2FA) at all times. See a good example of a cloud-based company who got hacked and lost all their customer's data and unfortunately went out of business. 

You can also document good procedures and step-by-step process your employees can recover services and data in the event of natural or man-made disaster such as the next ransomware attack. See good tips on both a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP). At the very least, have a DRP for your most critical applications to limit the downtime of your business operations and quickly recover.

Finally, other more advanced controls to help mitigate ransomware attacks include user web proxies (with web content filtering and ability to block access to higher risk websites), application “white listing” (such as Beyond Trust’s PowerBroker Application Control or Microsoft’s Device Guard and AppLocker) and network firewalls to name just a few.

In conclusion, it is amazing, but not surprising that cyber history continues to repeat itself. Different and fancy malware names, exploit tools and cyber gangs, but the same old tricks that go after older and unpatched systems that are easy fruit picking.

Remember, be safe and secure as always! It’s a ZOO out there!


Topic: Malicious Software Controls, Patch Management, Vulnerability Management