Ransomware – really a “cyber attack”?
The news from Fridays ransomware break-outs has once again brought computer security to the fore of everyone’s minds. While the pictures of skull and crossbones against a Matrix-style backdrop used by the BBC and the rest of media promotes the popular myth that this is the kind of “hacking” you see in the latest movie, the truth is unfortunately far more mundane and for that reason, probably far more dangerous. Once again, maximum disruption has been obtained by preventing the end-user from working rather than targeting the core systems most of the money is spent on securing.
Nowadays, “CYBER SECURITY” is a buzzword in it’s own right. It has a specific budget and aims and as an IT-related discipline, it has grown exponentially. While there have always been highly-qualified professionals working in the field, from encryption specialists to penetration testers there is an unfortunate trend to move anything to do with security and “hacking” into that field. What has been exposed by the events of Friday is not the need to spend money on the latest firewall hardware or two-factor authentication system but in fact the need to re-enforce some of the most traditional IT best practices at all levels: be wary of what you click on and keep your software up to date.
Historically, in a large organisation, these are functions that have been dealt with by the “regular” IT department. These are the guys that will have likely set up your printer and showed you how to do something in Excel. What you won’t see is these guys maintaining the network infrastructure, the invisible task that is really only spotted when you swear on a Monday morning because your PC rebooted for an update and affecting all the work you left open on Friday afternoon. These tasks always come across as a barrier to productivity rather than essential maintenance and tend to be something to avoid and obstruct, unfortunately. Coming from a background of IT support to a large national construction contractor, I can certainly see that calling these reboots part of a Cyber Security Initiative gives it more teeth to perform the background tasks in a more visible way (and potentially more budget) when users complain. However, there is a clear danger that moving the these tasks away from operations and maintenance into a separate security-oriented area may see the less glamorous work that is taken for granted given second-place to the latest security initiatives that win votes in the public eye.
The nature of Fridays ransomware is simple – persuade somebody in an organisation to click on something attached to an email, probably disguised as a PDF invoice or remittance, which installs the ransomware on your PC. It immediately looks for files, encrypts them and tells you it’ll cost money to get them back. It also begins installing itself on other computers in your network, using a vulnerability in Microsoft Windows. Those other computers may have access to networks your PC does not, and it can then go off and spread to those networks. Rinse and repeat.
There is no step in that sequence that cannot be addressed in the prevention stage. Working backwards:
Reduce your exposure. Do not connect a PC to a network it doesn’t need access to. This could be a VPN connection to a supplier or even just the Internet – this is really just an adaption of the “principle of least privilege”, only use what you actually need. This reduces the chance of you infecting another machine or, more importantly, reduces the chance of being infected by someone else.
Keep Windows up-to-date. This isn’t difficult anymore, you don’t need to manually run Windows Update or visit websites to download patches; in all honesty, with Windows 10 it’s actually more difficult to not install patches. When there’s something available to install, it’ll nag you and eventually, it’ll probably go ahead and do it anyway, rebooting your PC when you least want it to. Rather than fighting against this by clicking “postpone” for months, just let it get on with it. Save and close all your documents and go get a coffee while it updates. Some updates take longer than others but it takes much, much less time than recovering from what happened on Friday. Windows 7 and 8 will try to update automatically by default but just check your Windows Update settings to see what is configured. If I need to tell you how to enable them on Windows XP or Vista, you should actually be asking how you get a newer version of Windows. Windows XP is so old Microsoft don’t support it any more, it doesn’t receive security updates and you should not be running it under any circumstances. For anything. At all. Ever. But that said, Microsoft took the highly unusual step of issuing a fix for XP: see here. The press coverage from this exploit was so widespread I don’t think they could just ignore XP’s role in the spread but it is a reactive fix only.
Back up frequently. Easiest way to recover from ransomware is to simply reinstall Windows and restore your personal files from backup. I would always recommend using a DVD installer to do this (it’s the only source a virus wouldn’t be able to contaminate) but Windows 10 does give you an easy way to reinstall using the Recovery feature. If you have a recent back up, chances are all you’ll lose is the time it takes to do the recovery. Also, make sure your back up is to a source inaccessible to the ransomware. A directory on a portable hard drive that you sync files to is not a backup, it’s a copy. There’s nothing stopping the ransomware from encrypting that too. The only thing worse than not having a backup, is having a backup you can’t use. There are gluts of quality backup programs that can create secure backups to network storage or even the cloud and they are inexpensive.
Use a quality, up-to-date anti-virus. Microsoft have a free Security Essentials product for Windows 7 – download it at the very least. Windows 8 and above include the Windows Defender system, make sure it is enabled. If you can spare £30 a year, you can get a high-quality commercial product which probably includes back-up features. Make sure you renew your subscription – an out of date AV is a false security. I like Kaspersky. No, I’m not affiliated with them. If you like to do your homework, look at www.av-test.org. Honestly, there is no excuse – a good AV product is your last defence.
Measure twice, click once. Assuming you aren’t the unlucky recipient of the virus from someone else on your network, you can help avoid the problem to the best of your ability by just thinking before you click on the unexpected invoice. Do you know the sender? If so, read the body of the email – does it look like they wrote it? Does the filename in the attachment match legitimate files you’ve seen from them before? Don’t open if you think it’s from them, open only if you know.
Organisations with a larger computer network can take simple steps without spending any money at all.
Secure your network boundaries. Rather than blocking undesired traffic at your network boundaries, permit desired traffic. Start with with the most common applications, then wait for users to tell you what doesn’t work and you’ll soon build your list. You might even find you’re letting a whole lot more through than you really should be. Do this at your routing boundaries, not at your Internet gateway. Principle of least privilege again – this would help contain the “outbreak” to just a single area of your network.
Be aware: keep an eye on industry press. Bookmark a couple of trusted blogs – check them every morning while you have your first coffee, after you check the network alerts and before you check your tickets. I’ll publish my list if anyone’s interested. If you spot something relevant to you, act on it as soon as you can. The exploit that this ransomware takes advantage of has been known for some time (it actually has history with the NSA, for you conspiracy nuts) and patches have existed for a few months.
Have a patch management system. Windows Server Update Services (WSUS) is a centralised system for managing patches to your Windows infrastructure. It’s included as a role with any recent version of Windows Server and will give you an audit of machines, their current patch levels and enforce updates. While it works best in Active Directory, it can actually be used in workgroup environments. It has a learning curve but even if your systems administrator is not fulltime IT, it would certainly be accessible to them.
Train and advise. Your users count on you to help them. If somebody clicks on something they shouldn’t, they probably don’t realise that they shouldn’t have. Training is one of the most important parts of an IT deployment – your systems are useless without the knowledge to properly use them. Replace blame with education and you reduce the chance of this happening at all. While I’m railing against “cyber security” as a cost centre, cyber security awareness courses, ones that simply inform on topics such as social engineering and email use are easily obtainable, sometimes free using local authority and government initiatives or if not, there are many online videos that do the job.
Get rid of Windows XP as soon as you possibly can. Windows XP is the old workhorse. It runs quickly on old laptops and using it is a get-out-of-jail-free when you have no budget for “upgrades” as it keeps old hardware in service and frees up cash for shiny things. You can go ahead an just buy Windows 10 Pro, but there are some “kind of free” ways of getting hold of Windows. If you’re still running XP because the hardware runs poorly on Windows 7 or above, that probably means it’s a knacker and much, much faster hardware will probably be available for just a few hundred pounds and will come with a preinstalled, recent version of Windows. If you have licensing direct with a Microsoft Reseller (a volume license agreement, for example), check to see if you have Software Assurance or a subscription. You might actually be entitled to the latest versions of Windows and at the very least Windows 7 might run okay on your old hardware. If you’re in the public sector or have a parent organisation, you may be able to access their agreements. Microsoft love to get education and charities to rely on their products so if you’re in one of those areas, check for heavily discounted entitlements either direct with Microsoft or via. a reseller. Finally, look at something like Ubuntu – if you just use Facebook and Google Docs, you might not actually need Windows.
If you have to run XP, run it isolated. Scarily, some organisations rely on applications that just don’t run on versions of Windows above XP. Isolate these systems in their own network and limit access. One terrifying sight I saw only last week was a cashpoint that had crashed and was running XP.
This ransomware issue has affected a number of large organisations, often ones you wouldn’t expect. I’ve received emails from large IT-centric organisations (one of whom is a Microsoft distributor) vaguely mentioning “technical issues” and asking for patience while they are sorted out.
At Trench Networks, we are proud to say our systems are our own, as far as is reasonable possible, and we maintain our own independently-audited security throughout, including intrusion detection systems and an anti-virus webfilter system. We have a rigid patch schedule and enforce security at a number of points, both internal and client-facing, providing completely private networks that ensures no client can impact another. In fact, our access control system includes a “posture assessment”, where each device that connects is scanned for potential vulnerabilities before it is permitted onto the network. Should a device fail this assessment (which can include anything from anti-virus and patch status to suspicious traffic), a client-specified action is taken, from a simple email alert to device isolation. Ask your current provider for their security policies, if they have any. Alternatively, ask us how ours can complement your own policies and let us show you how a network designed from the ground up for our industry can add more value to your site setups than a simple router.