The WannaCry scramble
- 26 May, 2017 03:05
A couple of weeks ago, possibly every security manager in the world was dealing with the repercussions of WannaCry, a ransomware worm that screamed across the internet and flooded the media. IT and security departments, placed on high alert, had to scramble — whether or not any of their systems had been infected. I was no exception.
WannaCry emerged after a hacking group named Shadow Brokers leaked a number of exploits and data related to previously undisclosed vulnerabilities in various technologies, including Microsoft Windows. One of the leaked exploits was modified and subsequently given a variety of names, the most prevalent of which was WannaCry.
This malware features some nasty functionality. Not only does it encrypt data on hard drives and demand a ransom for the decryption key, but it also attempts to propagate via a previous known vulnerability in Windows’ Server Message Block (SMB) protocol. Although Microsoft had issued a patch for this vulnerability, it hadn’t been implemented on thousands of PCs, for various reasons. Among those reasons was that many of them still run on outdated Windows OSs that are no longer recipients of free-of-charge support — and many users decided against paying for support.
WannaCry could have been much more devastating than it was — and it was very disruptive, affecting hospitals and other health services in disproportionate numbers — if not for a “kill switch” that the malware author included in the code. There are various schools of thought as to why this kill switch existed, but the consensus is that the author wanted a way to stop the malware from propagating. The method was to register an obscure web domain. As long as the domain didn’t resolve to anything, the malware would continue to propagate and infect vulnerable devices. But a security researcher discovered the kill switch and registered the domain, which stopped the malware. In the end, something like 200,000 devices (that we know of) were impacted.
And so, like many security professionals and IT departments, I was scrambling. Improved variants of WannaCry have already emerged, and I wanted to get ahead of the game, as well as determine whether there had been any impact to my organization. My first step was to ensure that all of my company’s PCs and servers were up to date with patches and had the most current endpoint protection installed and running. I also wanted to make sure that every device was being backed up, that the backups were occurring on a daily basis and that there was a current backup available.
As for the patches, it wasn’t enough that they had been installed, since patches can be installed but not able to actively protect a device because there has been no reboot. I made sure that any PC or server that had a patch pending was forced to reboot. There was a problem, however: the PCs of remote employees. Our systems management tool, which checks patch status, is installed on our internal network. We have no patch visibility and control over PCs in the field unless the user VPNs into the office. Because there typically isn’t any need for remote PC users to VPN, since most of our corporate apps are SaaS-based, chances were good that we hadn’t been able to push polices and get reports on the patch status of hundreds of PCs.
This, then, was a rare case when I felt I needed to be a big foot. I had the IT department instruct managers to mandate that all of their workers either connect to the VPN or send screenshots to verify that their PC was up to date with patches. I don’t like to be a burden on the IT department or to issue mandates, but the danger to our operations made it necessary — the alternative would have been even more of a burden.
Meanwhile, we were already in the process of identifying a systems management tool that is cloud-based so that we can avoid this problem in the future. Other things such as endpoint protection and backup are already cloud-based and are therefore freed from the need of PCs being attached to our network, so it was easy to check on compliance with malware protection and backups.
I also obtained indicators from some trusted internet sources and monitored our intrusion detection sensors for any traffic that would be indicative of an infected machine. So far so good.
My next course of action was to send an email summarizing the details of WannaCry and strongly urging employees to be on the lookout for phishing attempts, spam, suspicious links on social media sites, unverified software, etc., and to be diligent in not clicking or installing untrusted links or software. I emphasized that I wasn’t just talking about corporate devices, applications and email, but about personal devices as well. I also reminded employees of several of my security guiding principles, including that we are only as strong as our weakest link and that employees have a responsibility in the security of our company and its customers.
I hope they take those words to heart.
This article written by a security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.