In the aftermath of last week's excitement over the WannaCry malware, I've had a lot of "lessons learned" meetings with clients. The results are exactly what you'd expect, but in some cases came as a surprise to the organizations we met with.
The short list is below - affected companies had one or more of the issues below:
That being said, there are always some hosts that can be patched, but can't be patched regularly. The host that's running active military operations for instance, or the host that's running the callcenter for flood/rescue operations, e-health or suicide hotline. But you can't give just up on those - in most cases there is redundancy in place so that you can update half of those clusters at a time. If there isn't, you do still need to somehow get them updated on a regular schedule.
Lesson learned? If your patch cycle is longer than a week, in today's world you need to revisit your process and somehow shorten it up. Document your exceptions, put something in to mitigate that risk (network segmentation is a common one), and get Sr Management to sign off on the risk and the mitigation.
2/ Unknown Assets are waiting to Ambush You
A factor in this last attack were hosts that weren't in IT's inventory. In my group of clients, what this meant was hosts controlling billboards or TV's running ad's in customer service areas (the menu board at the coffee shop, the screen telling you about retirement funds where you wait in line at the bank and so on). If this had been a linux worm, we'd be talking about projectors, TVs and access points today.
One and all, I pointed those folks back to the Critical Controls list ( https://www.cisecurity.org/controls/ ). In plain english, the first item is "know what's on your network" and the second item is "know what is running on what's on your network".
If you don't have a complete picture of these two, you will always be exposed to whatever new malware (or old malware) that "tests the locks" at your organization.
3/ Watch the News.
4/ Segment your network, use host firewalls
Disabling SMB1 should have happened months ago, if not year(s) ago.
5/ Have Backups
All to often, backups fall on the shoulders of the most Jr staff in IT. Sometimes that works out really well, but all to often it means that backups aren't tested, restores fail (we call that "backing up air"), or critical data is missed.
Best just to back it your data (all your data) and be done with it.
6/ Have a Plan
You can't plan for everything, but everyone should have had a plan for the aftermath of Wannacry. The remediation for this malware was the classic "nuke from orbit" - wipe the workstation's drives, re-image and move on. This process should be crystal-clear, and the team of folks responsible to deliver on this plan should be similarly clear.
I had a number of clients who even a week after infection were still building their recovery process, while they were recovering. If you don't have an Incident Response Plan that includes widespread workstation re-imaging, it's likely time to revisit your IR plan!
7/ Security is not an IT thing
Looking back over this list, it comes down to: Patch, Inventory, Keep tabs on Vendor and Industry news, Segment your network, Backup, and have an IR plan. No shame and no finger-pointing, but we've all known this for 10-15-20 years (or more) - this was stuff we did in the '80's back when I started, and we've been doing since the '60's. This is not a new list - we've been at this 50 years or more, we should know this by now. But from what was on TV this past week, I guess we need a refresher?
Have I missed anything? Please use our comment form if we need to add to this list!
May 23rd 2017
8 months ago
A had a huge "i told you so" i got to lay on people; if you dont need it, dont run it/close it.
I had just finished closing all ports on workstations except 3389. Even my manager was like well thats going to make it harder to get stuff done in the future. I explained attack footpront to him...
I got to gloat. When i did a review of our sitatuation i was like, smb on all workstations is closed so its moot.
I love it when a plan comes together.
Also we just finisned segmentation so that was great as well.
Also i had an urgent ticket in the system for admins to patch ms17 010 for 3 months. They did not do it, they were scared, i now have political capitol to help them get a more formal patch process with sla, etc...
May 23rd 2017
8 months ago