On 12th May, we witnessed a worldwide outbreak of the WannaCry worm, and variations thereof, which affected (at the last count) 200,000 systems in 150 countries and notably, had a huge impact on hospitals throughout the UK, Government agencies, and large manufacturers. As a new week begins, it’s unclear whether the worst is behind us and regardless of whether or not you contact us or anybody about this, we’d recommend all organisations take some action in enhancing their security.
Below, we’ve provided some advice on the immediate actions you can take, shared the components of our security ecosystem and, in the third and final section of this post, outlined two ways you can test your vulnerability.
Actions You Can Take Now
- Review your disaster recovery and business continuity plans.
- Review your company’s patch management program.
- Identify where all critical data resides; are regular backups being made?
- Have employees been told about the latest phishing and social engineering techniques?
- Review your incident response plan; has this ever been tested?
- Are all current security procedures in place and operating effectively?
- Have you recently tested your security and acted on an assessment’s results?
Charterhouse Security Ecosystem
Charterhouse have an ecosystem of partners and services which can help protect your organisation against cyber-attacks.
- Detection, testing and analysis; threat detection, vulnerability and red team assessments and incident response.
- Technical security training; cyber courses accredited by CESG, IISP & CyberScheme.
- In-Market vulnerability management; monitoring for product and software threat landscapes.
On top of the above services, our network design team incorporate the following security controls into their work:
- WildFire classifies all known samples as malware, automatically blocking malicious content from being delivered to users.
- Threat Prevention enforces IPS signatures for the vulnerability exploit (CVE-2017-0144 – MS17-010) used in this attack: SMB vulnerability – ETERNALBLUE.
- URL Filtering monitors malicious URLs used and will enforce protections if needed.
- DNS Sinkholing can be used to identify infected hosts on the network.
- Traps prevents the execution of the WanaCrypt0r malware on endpoints.
- AutoFocus tracks the attack for threat analytics and hunting via the WanaCrypt0r tag.
- GlobalProtect extends WildFire and Threat Prevention protections to remote users and ensures consistent coverage across all locations.
On top of all of this, our security ecosystem includes endpoint control and protection, cloud-delivered web security gateways, email security gateways, real-time attack visibility and incident response technologies that bridge the gap between detection and remediation of breaches.
I’ve Not Been Effected but Want to Test My Vulnerability to Future Ransomware Attacks
If you have not been affected, we can assist by testing your vulnerability to the attack and providing a policy verification check to ensure that key functions, such as key backup services, are appropriate and working and that other technical protections are in place which will specifically limit the effect and exposure of the ransomware worm.
If you have already been infected, don’t panic. Shut down any affected systems and contact us. Be wary of any online adverts for software claiming to be able to remove the infection. International worm outbreaks such as this provide the opportunity for further cyber-crime. Further, experts predict this is likely the first of several of these type of large scale attacks based on the code released by Shadow Brokers that enabled this latest attack.
Services That Can Help You:
Ransomware Readiness Assessment
The Ransomware Readiness Assessment will provide your organization with a review of its current security posture with an emphasis on the business capability to withstand a ransomware attack.
Stage 1: Vulnerability assessment.
This will be specifically only looking for the missing patches that permit the Wanna* variants into systems.
Stage 2: Business Continuity Testing
Staged test of viability of backups/disaster recovery readiness. Literally witness backups being restored, and ensuring that everything works etc.
Stage 3: Review of patching policy.
This will be fed by the vulnerability assessment in stage one, which will give us the information we need to really look at what they think they are doing vs. what is actually happening. Many organizations are surprised at the results of this.
Stage 4: Security awareness policy review.
Most of these infections are delivered by email/phishing and the users are the weak spot. This could involve some phishing as well.
Ransomware Impact Assessment
The Ransomware Impact Assessment will provide the ability to assess the impact on any infected systems with a view to identifying and drafting a recovery plan.
Stage 1: Assessment of vulnerable systems.
Testers reviewing the infected systems for extent of attack. Follow up offline forensic analysis of infected disks.
Stage 2: Backup Readiness review.
Review of systems impacted, current backup testing procedures and the backup logs to ensure recoverability.
Stage 3: Recovery Assistance Report
Report on recovery options and plan to recover operations.
If you want to do more to protect your company's infrastructure and data, get in touch, explain your situation and we'll happily help you identify an ideal solution.