Ransomware, Worms and Evolution — What to Do About It, and How We Got to Where We Are
It was back in Ohio that I got my first infection — The Morris Worm. Back then the Internet was a free and open place, and many people shared information about how to fix programs and how to make applications run optimally. I was not worried about security because who was I, what could they possibly want that I was not willing to share.
Then a graduate student at Cornell University, named Robert Tappan Morris wrote a program or worm that he launched in November 1988 through the Massachusetts Institute of Technology’s computer network system. He wrote it to be an intellectual exercise; the worm was designed to go through the internet so that he could see how big the internet was at the time. It moved through the internet by exploiting vulnerabilities. However, it became a problem due to the mechanism of by which moved through systems. It caused an inordinate number of issues that he did not consider and did not test for before letting it run loose through the internet.
After this infection I became an earnest student of security and remain so still today. Since that time I have contracted my services to many companies and have protected them from all the various infections that have spread across the internet at different times.
Today’s Environment – WannaCrypt and NotPeyta
Today, the newest problem is the ransomware – WannaCrypt and NotPeyta. It has infected some of the largest public organizations by compromising our 240,000 computers in 150 countries. Since the beginning with the Morris worm, it seems that many have failed to learn the importance of keeping your systems up-to-date and patched with all the latest security patches. It is especially important if you use Windows as your primary operating system.
I can’t think of a single reason today that any person or corporation can give today for not patching. Yes, there are problems with patches, and sometimes they cause machines to crash. If you install them all at once on every machine in your organization, it can be a bad day or week if there is a problem. But not patching is more of a problem.
Patching Test-bed is Mandatory
I always recommend that you design a platform for testing all patches for problems before installing them. You can set up a virtual environment loaded with the specific software and applications that you are using. Using this method you can test the patches to make sure that they do not cause any problems with the operating system or applications runs your business. Once you have tested them, then you can deploy them without worry. Although the patches are a day or so late getting installed, they are getting done, and you are less likely to be hit by an enormous known vulnerability.
In the case of WannaCrypt, Microsoft issued a patch in March of 2017 that would have mitigated the worst of the issues that this ransomware relied upon to encrypt files and hold them hostage. That was two months before it became a huge problem. Patching one or two days after the patch came out would have saved so many companies time, frustration and money.
Always Use the Current Best-in-Breed
Another pet peeve of mine is companies who refuse to utilize the best in breed software and continue to use out of date and unsupported software, applications and operating systems. I know that many companies have invested a lot of money into specific programs that run on an individual platform and I get it. It is expensive to change, but it is more costly to lose all of your data, intellectual property and even in some cases your entire business and livelihood just because you did not want to upgrade some software. There comes at a time when it is no longer just a technical matter and requires upper management to take a robust and hard look at the risk involved in keeping legacy systems in place. Many times they will decide that they can just go along to get along and deal with the risk. That is what Sony decided. Then they got hit, and it is projected to cost them upwards of 300 Million dollars.
Today there are ways to prevent legacy systems from being targeted if you still rely on them for a particular purpose in your business. But how you handle it will depend on what the systems are needing to do. For some embedded systems they just need to contact a particular location, but information does not flow bi-directionally and the machine. Control of these type of devices is easy. Once you have determined the exact needs of the software, there are ways to work around having to replace them by creating rules on routers and creating a permission list that outlines exactly which programs, processes, and operations are allowed. This type of protective software is formally known as an Access Control List and is part of a Layer 3 security. Programs, such as the WannaCry worm, would be prohibited by the Access Control list from obtaining access to this legacy software. However, if you have legacy software that requires deep access into your databases and other proprietary information, then you will have to install a level 7 firewall that is finely tuned to reject anyone except the correct known calls by programs. To put this type of specialized firewall in place, you will have to contract with a firewall professional, who understands the ins and outs of firewalls, their peculiarities and how to tune them.
Other general application software should be able to be retrofitted and upgraded to a patchable system rather quickly and inexpensively.
Over the years we have had many vulnerabilities, yet people have refused to see the solution.
Ransomware the Final Wake-up Call?
Hopefully, WannaCrypt was the final wake-up call for companies, and they now understand how important it is to install their patches in a timely and efficient manner. However, many not get the message and will just install the one or two “wanna crypt” patches and not install any of the other software repairs that are currently available and that they have neglected to install previously leaving them open for exploit by the next unknown unknowns out there.
If you do not set up a policy and have a process in place for patching your systems promptly and upgrading your systems to currently patchable status, you will be completely at the mercy of those who exploit the vulnerability you failed to repair.
It is the time that everyone takes their Security seriously and begin to think wholesale about how these exploits can affect them, their business, their employees, their life, their retirement, in fact, everything they have ever worked to achieve. There will always be zero-day attacks, those which no one has seen before, and for which the producers of antivirus software have not yet created a protected signature file. You will get hit; it is just a matter of when and how bad it will be for you.
When will it happen? From Where will it come? Who can I blame?
Exploits come in so many varieties that you need to create a series of policies that you can use to help train your entire staff. It is only through employing comprehensive security profile and training program that you will be able to mitigate your vulnerabilities. Get your policies in place, patch regularly and on schedule and train your staff and employees on how to avoid being trapped into giving out information that they should not. Although it is important now, it will be even more important come next year.
Training your staff requires that you make them aware of all the issues involved in a language that they can understand. Every employee must be aware of the hazards and risks to the company from incoming e-mail and why opening attachments is a dangerous idea. They need to understand the seriousness and that they must be cognizant of the failure to follow the procedures could destroy the company and their job along with it.
It is no longer just about the risk to your business, but security is now the most important item on the agenda because it may even involve our national security, which means that now Politicians have gotten involved.
New 2018 Regulations Will Make You Liable For Breaches
Coming May 2018, there is a new regulation that takes effect. Known as the General Data Protection Regulation (GDPR) will make you as an individual or company will be responsible if any data that allows the identity of a person to be established or contains personally identifiable information are responsible for securing and protecting that information. While some believe this applies mainly to the European Union, any company that sells internationally falls under its mighty tentacles. Simply put, this means that you or anyone you employ, contract or outsource to who touches or has access to your data, no matter where they are based, is responsible for any manner of breach of the information. The liabilities and penalties are harsh and broad, so it is time to get serious about your security especially if you deal with ANY personally identifiable information. Now is the time to Secure your data and thoroughly vet and train in the proper security policies anyone, contractors, employees, partners or third party vendors or you, your company as well as they will feel the brunt of this law.
What to Do
I mentioned Windows because that is where the latest attack has been, but there are thousands upon thousands of attacks against every type of infrastructure that is controlled by or managed by a computer system or network. They will and have attacked all kinds of systems DNS servers, Apache servers, Web Servers, Operating Systems, Application Servers and Software. Currently, the want to encrypt your files and extract a ransom but there may come a time when they will just destroy the records for fun, and if you do not have a current backup you will be “toast” as they say.
Backups —- are you testing them to make sure they are good? If you are not patching and keeping your systems up to date, then the answer most assuredly is a resounding NO. Are you aware that it is possible for someone might be able to get into to your system and disable your backup agents on your desktop or server? Yes, that does happen, and that will render your backups useless. To protect your backup server, you should place in on its local area network that does not have any direct routing or SMB connectivity. These simple steps can help isolate it from infection and destruction from outside sources.
Spending time to segment your network can improve the performance of your system by reducing bottlenecks and minimizing local traffic as well as lessen the effect of local failures on branches of the network. Additionally, it significantly improves your security by keeping the layout of your network hidden from the outside and allows for better control of visitor access.
How long do you think it takes to discover a breach in your system? Are you already infected? It is a little over three months — so that means probably YES!
Automation is Key! Upgrade and Patch, Patch, Path
I have been telling my audience for years that they need to upgrade, but like everything else, it is the “if it ain’t broke, don’t worry about it” mentality that has allowed these hackers to have such an impact. I tell people this because I want them to be secure — in all their “persons, houses, papers, and effects” which includes these days all your electronic data. Just because you or someone you know has not been the victim of this does not mean you were successful in preventing a disaster or that your efforts were unnecessary it just means that you escaped “this time.” All of this comes back to risk and placing the blame on the IT department when the actual responsibility belongs to those who failed to understand the depth of the risk involved and decided not to prevent those risks. Documentation leaves a paper trail; this allows the attachment of blame in the event of a breach. Once the risk becomes a reality, and the impact is starring you in the face, it is human nature to find someone to blame, and unfortunately, it will probably be your technical staff whose hands you tied. When you are crafting your security policies, and procedure makes sure that you are putting your risk management team on notice as to their responsibilities and as well as to what will result if their decisions are found to have caused the breach.
Policies and Procedures
By creating a series of policies and procedures, you are showing a good faith effort into protecting your data. There are multiple steps required to assure your compliance with those policies.
First: Keep an accurate record of any and all software, and its installation date, when the patch was applied and by whom and any problems that resulted from that those repairs that required a fall back to a previous version.
Second: Train your employees. Again record keeping is essential, so keep a copy of all training conducted including the material covered, the date you did the training, who taught the training, who was in attendance.
Third: In the case of a risk management decision in which they ignore the policies and procedures this must be documented as well and must include the risk, the likelihood and the impact, and the mitigation strategy along with the name and position of the person who made the decision.
Records such as this will go a long way in protecting you and your company in the event of a breach. All files should have a backup copy kept off-site.