May 17, 2017
Back to Basics with WannaCry (and Other Threats)
This incident offers an opportunity to revisit and reinforce effective security strategies.
A global cyberattack labeled WannaCry surprised and impacted users across the globe last Friday. This latest version of ransomware has already infected more than 300,000 information systems across 150 different countries. The shockwave delivered by WannaCry highlights the seriousness of this threat as one of the fastest and most widespread extortion campaigns on record.
If you are worried that your organization is susceptible to WannaCry, there are immediate steps you can take to shore up your defenses, which can be found in my colleague Mark Lachniet’s recent blog post. In the midst of this epidemic, it is important to stress core security fundamentals and remind organizational and institutional leadership that an effective information security program requires vigilance, commitment and a strategy that fits into each unique culture.
WannaCry’s Teachable Moment
While many versions of formal security frameworks and run books exist to help guide and support an organization’s security maturity, the reality is that weaknesses within an information technology infrastructure will always exist. These soft spots may lead to other systemic security events and potentially more serious information breaches. Business and IT leadership must diligently work together to address and improve the underlying business processes that drive organizational outcomes so that risk is managed accordingly.
Despite the anxiety and turmoil set off by the WannaCry cyberattack, there is also an extraordinary opportunity to learn in the aftermath of such pandemonium. A security practitioner’s mantra (which consistently holds true) states that neither magic wand nor single silver bullet will fix every security problem. Therefore, the following eight recommendations are general and fundamental by nature and will have value in future security incident situations, but are also components of a security strategy that are most useful for this specific type of threat.
1. Incident Communication
The sky is falling, now what? The sooner you inform your users and clearly and concisely explain that a serious threat is spreading, the less likely you are to have a pervasive issue. Preparing and pre-drafting a dress rehearsal for this process will encourage a much more rapid response during a time of crisis.
2. Incident Response
The faster you move, the lower the impact. What is your organization’s process to decide whether an infected system needs to be cleaned, reimaged or legally and forensically preserved for litigation purposes? If you’re dealing with a human intruder or a nasty strain of rootkit, who can you call to forensically analyze and fully contain the outbreak?
Do you have contracts established and ready to execute, or will precious minutes, hours and days be exhausted while legal consul negotiates with providers that are proposing paying premium dollar emergency response rates?
3. Phishing and Email Ingress Management
“My user clicked on something evil, help!”
One of the best methods to address this concern is to arm your users with on-going phishing education. Teach them to be suspicious. Teach them to verify attachments before executing them. Phish them yourself and immunize them from the malicious actors.
Additionally, not all email security is created equal. Inevitably, some attacks will reach your users (hence the importance on phishing education). However, everybody has a plan, until they get punched. Simply put, some email security gateway providers were effective in detecting WannaCry, and some were not.
4. Malware Execution
Not all endpoint security is created equal. The next generation endpoint security providers and solutions on the market were mostly effective at preventing the execution of WannaCry and its variants. In some cases, this meant a job well-done for properly upgrading and configuring a current version of an existing endpoint security agent or sensor. In other instances, it may have meant that layering an additional agent or solution to augment current endpoint controls proved effective.
5. Network Prevention, Isolation and Architecture
Most network intrusion prevention systems/advanced malware protection systems were effective at identifying and stopping the worm-style spread of this attack. The challenge, of course, is that in many instances this spread moved laterally from system to system, behind the firewall, and did not cross a network enforcement point.
Theoretically, a network-based attack is incapable of jumping from host to host if said networks are unable to talk to one another.
In many cases, network segmentation can quickly spiral into an overcomplicated conversation topic. It is critical to avoid getting hung up on inside-the-data-center microsegmentation. The simple truth is that the most effective control and method to limit and contain the impact of a breach is rigorous client-side segmentation.
6. Patch Management
Which systems were missing MS17-010? How can we quickly and easily push the patch to all affected systems? This is nothing new, but as you scramble in the wake of WannaCry you may have turned up weaknesses in your current approach.
7. Vulnerability Management
From now until eternity, information security professionals will be uncovering new infections, frequently on Windows Embedded systems and other unmanaged systems (think IoT). An effective vulnerability management program is born from rigorous repetition and extreme ownership of the process in order to identify vulnerable systems, scan them and quickly arrive at a determination on how to address the risk.
8. Risk Assessment, Prioritization, Security Strategy
Which of the above security strategy components will benefit your team and overall organization the most, as soon as possible? What other vectors exist, and where do they fall on your priority list? There is no time like the present to begin having real conversations about the value of cybersecurity with the leadership of your organization. Conveying security’s overall role and importance, assessing security posture, determining maturity and setting priorities is critical. Finding meaningful, measurable metrics to begin building the communication channel with executive leadership is a delicate balance between art and science. Perfection does not exist, but help and guidance is available.
How CDW Can Help
We have an information security practice available that can be engaged to provide security consulting services that can guide you on your security communications plan or incident response plan. This team can also perform an overall risk assessment conducted in a method that is focused on limiting and mitigating your business’s particular critical impacts. This is an area of specialty for the CDW security practice – we have completed more than 4,000 of these professional engagements, going as far back as 1998.
We also have a team of security architects that can provide expert advice on a range of technologies and tools that can strengthen your security posture, including phishing/user education partners, email security partners, next generation endpoint security partners, patch management options, vulnerability management tools and more. Give us a call, we’re here to help.
Learn more about CDW’s security solutions and services.