Reports of the notorious “Wannacry” and “NotPetya” ransomware attacks had flooded all media and social chatter recently. I personally know of an acquaintance who was laughing at the victims who were hit by first wave of “Wannacry” only to be literally crying when “NotPetya” comes along. I guess reports had pretty much narrated the multiple incidents so I will not dwell too much on the despair of the poor victims. Many who were victims were probably left clueless on what can be done as unless an off-site backup was done, there is pretty much nothing that can be done. The latest wave on 27th June 2017 resembling the 2016 Petwrap or Petya virus was found to be delivered with its payload writing onto the MBR thus rendering no chance of recovering the data in the hard drive. Imagine damage done if you lost your entire accounting records containing your accounts AR and AP.
I guess the best way to address the issues of “what if” should be addressing the people up there with not only on the recent episodes of cyber threats, but rather on addressing the business risks any cyber-attack may pose to a business organisation. Looking at how the threats evolve with every wave, one can never be too sure on how the next wave would actually approach, but one thing for sure, the damage that is inflicted would definitely cause harm that would almost certainly impact the business organisation not just operationally, but also financially.
So, with focusing on mitigating cyber risks and maintaining a high level of cyber hygiene, maybe these following measures should be considered deliberately as steps to be taken to mitigate and better address such risks:
1. Effective Endpoint Protection:
With the growing trend of a remote workforce and BYOD culture, cybercriminals are now finding ways to infiltrate organisations via devices that are not protected with even a simple EPP and/or antivirus as the BYOD devices are often lacking of due to the fact that these devices are often viewed as non-company assets. What the management failed to recognise is that though such devices often hold data and connectivity to the organisation. Even with a consumer grade antivirus, the user laptop may not be having optimal protection as the organisation’s IT support do not have a clear view of the level of protection such devices have.
Looking at the rise in zero-day attacks like the recent 2 threats, Signature-based EPP and antivirus may not be effective in handling such attacks too. To address such problems, Endpoint Detection and Response (EDR) has proven to play a very an important role in complementing the traditional EPP. Especially when it comes to advanced persistent threats and customised targeted malware toolkits that are created to bypassing traditional EPPs. EDR tools will offer visibility into endpoint data that would greatly assist in detecting and mitigating advanced threats, this would also complement other security tools like Data Loss Protection Solutions, Security Information and Event Management, Network Forensics Tools, and Advanced Threat Defence appliances.
2. Effective Patch Management:
Patching had recently fallen into the limelight as the main exploit that was used by the recent attacks were found to be easily prevented by applying a Microsoft Windows patch. Effective patch management systems will definitely alleviate your IT team from the frustration and the sheer madness of the scramble to quickly apply patches to fend off the attacks.
With the adoption of an effective patch management system, the organisation would not only significantly lower the rates of virus infections, malicious attacks and data loss. The IT department would also experience higher efficiency increasing productivity, performance through effective use of human resources by automating the patching deployment process.
3. Effective Web Security:
Effective Web Security is essential to achieving comprehensive web security. While EPP and EDR is primarily focused on the client end protection, Effective Web security is needed to protect the entire organisation from threats from the Web (where almost all threats were residing),
This could only be achieved by adopting the use of a robust firewall appliance with an assortment of features turned on. The firewall shall essentially protect the perimeter of the organisation’s network infrastructure by blocking off viruses, malicious websites, phishing sites, etc. The same appliance can even help you to manage your bandwidth consumption by blocking of unnecessary traffic.
4. Effective Email Security:
As e-mail messages are often sent from external sources, there is no way we can be sure of who from where would send an e-mail to you at any point in time. However, in any business organisation, many times sensitive, private and confidential information is communicated via e-mail. Due to the wide usage of e-mail to communicate with external organisations, it is naturally targeted by cyber criminals as a medium to orchestrate their attacks.
Attackers often view e-mails as an exploit to gain control and disrupt or even cripple an organisation’s IT functions. It is used to transport Malware (trojans, ransomware, worms, spyware, etc.), phishing, used as a point of entry to an organisation’s network, and may even used to accidentally send out sensitive information by an unknowing authorised user.
Securing your mail system will require a multiple faceted approach. This often involves, backing up your emails frequently, protection against malware, implementation of spam policies, enabling logging mechanisms to allow the organisation to use collected data to detect intrusion attempts and facilitate investigations, and educating users on email safety policies.
5. Effective User Privilege Management:
The impact of misused or compromised user accounts would increase if users are provided with unnecessary system privileges or access rights. This would not only allow the possibility of intentional or accidental misuse, it would even increase external attacker capabilities if the user account happens to end up in a malicious attacker. All this would negate whatever security controls in place and if the attacker happens to strike with the right account, the tracks may easily be covered making it difficult to trace and audit the source of the breach.
A privilege management program could assist in the area of privilege management. The program will assist the organisation in the creation of policies for privilege escalation and application control. IT administrators could easily limit the privileges, scripts and commands allowed and elevate the privilege rights on demand on an ad-hoc basis. Application control can also be put in place with awareness to detect behavioural anomalies with automated intervention to greylist or block an application with malicious intent.
With these five measures in place. You could easily prevent malicious attacks from both outside-in attacks and vice versa. This would not only protect your organisations daily operations, it would also aid in maintaining your company’s online reputation that could easily be defaced when a threat uses your location as a distribution point to broadcast an attack.
A proper set of protocols must be set in place in the organisation to guide the users in your organisation on the use and management of your IT assets and of course the use of a specialised area focused applications and platforms is needed to be deployed to ease the management and operation of each role.
INStream Corporation had assisted several organisations in securing workspaces with the help of role specific tools and platforms from our vendors. With the robust experience of cyber security accumulated over the years, INStream Corp shall orchestrate a solution that would provide a holistic solution to address your complex IT security needs.