What Can the WannaCry Attack Teach Us About SME Cyber-Security?21st Jun 2017
The recent WannaCry ransomware attack needs little introduction, even the non-technical out there would have heard about the hack of NHS computers that made it to the front page of all mainstream media publications and was the top story across television news.
‘Hack’ or ‘hacking’ is one of those regularly miss-used terms that the general media use to create a sense of dread and illegality around cyber-crime, and often it will be accompanied by the image of a young person (probably in hoody) toiling away at the screen of a laptop in a darkened room. All of which compound to give us a somewhat distorted view of what is actually going on.
Putting this blunt vocabulary and clandestine imagery, used to sell newspapers, to one side for a second, what the ‘hack’ - or let’s call it malware attack/exploit – showed, is that cyber-security, it’s prevention and recovery post-event, should be critical areas of focus for all businesses.
Seek and destroy
Although the headlines in the UK were predominately focussed on the NHS, this does not mean that this was a targeted attack and that it is only large monolithic organisations like the NHS who were/are at risk.
Much like a medical virus, this attack did not discriminate between large corporations or smaller businesses and organisations. It was what is known as an exploit drive, so it sought out systems that were open to attack…and attacked them.
Small business cyber-security concerns
There is sometimes a stance within smaller businesses that they are ‘not important’ where cyber-crime is concerned, propagating the idea that the smaller your business may be, the less attractive you are to cybercriminals.
This is a dangerous approach to cyber-security, as attacks such as WannaCry do not select or discriminate based on business type, size or any other categorisation, other than the level to which it can exploit their systems.
Of course, large organisations have their own challenges due to the scale of their infrastructure, which is what caused major issues for the NHS. Smaller businesses and organisations don’t have the challenges brought about by scale, but sometimes a lack of technical understanding and slower investment in systems may be their achilles heel.
Financial and reputational damage
Not unlike the majority of ransomware attacks, the WannaCry ransomware exploit was financially driven.
Headline attacks such as that of the NHS, or the countless other large corporates which have been targeted in recent times, are undoubtedly financially damaging, but not so much that their future is placed under question. This however may not be the case for small to medium-sized business, for which a breach of this kind could be catastrophic, either in terms of business finances or reputation…or both.
Small businesses often trade on their reputations and being exploited in this way will likely have a significantly negative impact on stakeholder perceptions. Add to this the often-low operating budgets of small businesses, and an unplanned outage of internal networks could halt trading altogether...permanently!
What is it that set WannaCry apart?
The WannaCry Ransomware was an interesting exploit, and other hacking groups will, without doubt, learn lessons from the method of deployment in order to create stronger and more increasingly resilient cyberattacks of this kind.
Having said that, forensic evidence has shown there were some flaws in what was deployed, if indeed this exploit was ever intentionally meant to have been released into the wild. But because of its ‘worm’ characteristics - essentially its ability to spread itself rather than wait for people to click on links - it spread very fast and wide.
What can WannaCry teach us about cyber-security?
Ok, so enough about the negativity, what lessons can we learn from this?
Well, primarily that these types of attacks can affect us all - enterprises, government, small and medium businesses and, indeed, consumers - and that a multi-layered approach to security is critically important. From a more technical persepctive, here are a number of lessons to be learned and best-practices which should be adhered to:
- Software Patching – This attack exploited an old vulnerability that had been fixed by subsequent software patches. Having systems in place to ensure that ALL machines are upgraded regularly is key, including those devices that rarely attach or are special as they are the ones that easily get forgotten.
- Upgrading Systems – Again, the NHS was vulnerable because it uses older operating systems. For them, migrating to newer systems is not easy due to the proprietary software that they use and the overall costs. However, businesses should heed End-of-Life and End-of-Support notices from software vendors and ensure they have a plan (and funding) in place to replace older operating systems.
- Attack Surface – Minimising the potential areas of attack makes common sense, but all too often the need for simplicity means IT systems may have ports open that are either not required or no longer needed. Having a plan to review this on a regular basis ensures that the attack surface is reduced.
- Segmentation – Breaking down the internal network into logical network segments is networking best practice but is not always deployed, even in some larger organisations. Segmentation enables security policies to be defined between internal network areas to halt the spread of any exploit across the whole organisation, limiting the potential damage. If companies are allowing BYOD then this absolutely should be segmented as the devices connected are not known (and trusted) by the enterprise.
- Social engineering – Educating your users in what to look for within suspicious emails, policies for the sharing of information and the plugging-in of unauthorised devices is key. People are generally the weakest link in the network security line up as they are easily swayed by rewards that are targeted at our basic impulses (curiosity and money).
- Endpoint Security – We all (should) have antivirus solutions running on our desktops and laptops, but are these systems regularly updated? What about the Windows Firewall? Is this controlled by central policy so that users cannot turn it off? For even better security, the sandboxing of endpoint devices is possible – this ensures exploited devices cannot compromise the system.
- Pro-active Firewalling – This is something that we have blogged about before - not simply concentrating on protecting inbound traffic and allowing all outbound traffic out on your firewall, but only allowing the outbound traffic that is legitimate and blocking everything else.
- Next Generation Firewalls – Reliance on the old firewall technology of ports and IP screening is simply not enough these days. Next Generation firewalls examine the whole data packet and can make decisions based on application, application types and can create policies linked to actual users for deeper granularity and control of your networks.
- Backups/DR – Should the worst happen, causing your data to be encrypted, then you are going to need to rely on your data backups. Are they working correctly? Are they constantly reviewed and can you actually restore from them? REMEMBER: the testing of backups is as important a task as taking them in the first palce.
- Trend monitoring – Many malware attacks and exploits hide underneath the security radar but having systems in place that monitor the network for changes in network patterns can provide early warning that something suspicious is happening.
For advice on designing your network and systems to the deployment of security solutions like Next Generation Firewalls and Endpoint Network Security please contact Ensign Communications for a chat with our technical team.