WannaCry forces you to rethink and implement a cyber security strategy.
Here’s a checklist.
The WannaCry or Wannacrypt 2.0-ransomware is an unseen cyber attack with a global impact on business, and it won’t be the last. To handle cyber attacks with a similar impact in the future, you must have a solid Cyber Security Strategy.
In this blog post, the key elements of such a strategy will be highlighted focusing on ransomware. This will allow you to prevent, detect and respond to the attacks in an adequate way.
The elements of a solid Cyber Security Strategy
When developing a good strategy, you must take people, process and technology into account. That is crucial to handle known and unknown attacks in the future.
The following aspects have a direct relation with WannaCry Ransomware and will help your organization deal with similar attacks in the future:
Cyber Security Awareness training for users:
Teach your users to notify suspicious emails and attachments and teach them that opening these attachments can harm the organization. Of course, education is one thing, and there will always be someone who double clicks on an infected attachment or the ransomware will find another way to enter your organization. That is why you also have to focus on processes and technology.
Disaster recovery process and a good back-up strategy:
You always have to be sure that valuable information and systems can be restored when a disastrous event happens. The continuity of your business has to be ensured when data is encrypted by ransomware. Therefore, the disaster recovery process and a good offline back-up strategy are of utmost importance.
A gold build process for a quick restore of computer systems:
Restoring infected systems by re-installing them takes a lot of time and effort. When you have a trusted gold build image and a corresponding procedure, you save a lot of time and money. The gold build image also allows you to better manage the systems and to guard a secure configuration on all of them. This is why SecureLink focusses heavily on the workspace as part of the Cyber Security strategy for organizations.
A patch management process to avoid unpatched systems:
The WannaCry-ransomware is very successful because of a recently discovered vulnerability in Microsoft systems that became publicly known. This ransomware is able to perform lateral movements in networks via the SMB protocol. Although Microsoft released a patch in March, the impact is tremendous. During this attack, a lot of computer systems are unpatched, and miss the required security controls on the systems. This highlights the importance of a good patch management process. When all your computer systems are patched on time, the risks dramatically drop. This is once again a reason for SecureLink to focus on the workspace of your users and to integrate a patch management process in the solutions we deliver to our customers.
A vulnerability management process to apply patches in a more efficient way:
New vulnerabilities are discovered every day and it is important to control them. Scanning your systems and accelerating the patch management process reduces the timeframe of the attack surface dramatically.
A secure configuration process to make sure all systems are correctly configured and to reduce the attack surface:
Organizations often invest a lot in security controls. These controls have many functionalities and possibilities to protect organizations, but they are worthless to your organization if they aren’t configured in the appropriate way. Therefore, you need to make sure that the right policies are in place to block cyber attacks, and that a deny-by-default principle is used when a service is not required for your business.
A continuous security log monitoring process for a faster detection of malware in your organization:
A continuous security log monitoring process that notifies you on security incidents and correlates with other threat sources enables your organization to detect an attack much faster. It will provide you with information on incoming malware or infected hosts enabling you to start an incident response procesvas. SecureLink invests heavily in its Secure Analyze Services to provide the customer with a faster detection process.
An incident response process to take the right decisions during an attack and to minimize the impact on your organization:
Detecting incidents is one thing. You also have to make sure your organization is able to respond in an adequate manner thanks to the right process. An incident response process is a collection of procedures aimed at identifying, investigating and responding to potential security incidents in a way that minimizes impact and supports rapid recovery.
A Threat Intelligence feed for faster information on threats:
There are multiple threat intelligence feeds to which you can subscribe to stay informed. Sometimes, they even inform you before your organization is attacked or before it appears on the known news channels.
A Next-Generation Firewall and e-mail Proxy with sandbox technology to detect and protect against zero-day malware:
Technologies for detecting zero-day malware exist for many years now. They all work with a sandbox environment which will notify you when a zero-day enters your organization via a next-generation firewall or via an e-mail proxy. In many cases, they are even able to block the malware and block the Command and Control Connections.
A Next-Generation Endpoint Protection solution to protect computer systems:
Next-Generation Endpoint technology based on machine learning might be the most effective solution to block ransomware attacks. In the future however, other attacks with a similar impact are very likely to occur. That is why a complete Cyber Security Strategy is recommended.
A segmented network and network segmentation firewall to prevent the lateral movement of malware:
The impact of WannaCry-ransomware is enormous because it was able to move laterally via the SMB protocol. A well-segmented network and a segmentation firewall can help you block communication between segments and avoid the lateral movement of malware.
A Network Access Control solution integrated with other detecting technology to remove infected computer systems from your network:
If you detect an infected system, it is a good idea to remove it from your network. Network Access Control technology integrated with sandboxing technology enables you to remove these infected hosts in an automated way.
Data Discovery technology that keeps track of files being encrypted on central file shares and file repositories with the ability to lock the infected user account in your identity and access management system to prevent further damage:
Keeping track of your data itself is a very advanced control Data Discovery Technology is able to see whether data is losing its integrity and to block access to the data by closing off the user account. This with a loop to your continuous security monitoring solution for starting an incident response process.
SecureLink as a trusted advisor
This ransomware attack will definitely not be the last. Other cyber attacks will probably happen on the same scale. Security is an end-to-end story and a future-proof cyber security strategy is crucial. SecureLink advises companies on this topic with an eye on the GDPR legislation.