Wednesday, June 28, 2017

Yet another case of cryware!

So, here it is. Yet another blog post about a yet another case of cryware. I think I'll stop with calling it cryptoware or malware, it's just cryware. Not crying for the damages it causes, but how many of the damages could have been prevented with just a mantra of some security hygiene.

Both WannaCry and Petya (or NotPetya) travels from node to node with an incredible pace. Truth to be told, I am in awe of the sophistication of the toolset, while in shock about the amount of steps in the attack-chain used by easily avoidable weaknesses.

I am not going to repeat the workings of both of the malware versions because more technical skilled people can do that better, but let me keep hammering on the following security mantra. And I want to share that hammering with you to prevent the screen below!

Always patch, patch, and patch

Seriously, just always patch. Always. Always patch and never exclude. I often get push-back on why this cannot work, and I ask why-not. And if you state that this cannot work, you don't grasp the importance of just patching everything.

We have enough to worry about zero-days alone, without throwing known patch-able vulnerabilities into the mix. There is nothing you can do against zero-days, until the patch has been released and installed. It's a part of which you cannot control, and therefore you can let go. But as soon as there is a patch, just install it.

And what to patch? Well, everything that costs money, enables value or delivers value should be patched. From CCTV, to IoT, to Computers, to Servers, to Network Components, to HVAC and more. And if no more patches are released, apply life cycle management in order to get patch management going again.

Seriously, no exceptions! When you do that as rigorously as I described, everyone will grow accustomed to it. Both the business and IT as well as suppliers, employees and customers will get used to the fact that you always patch, resulting in a lessened worry about global Cyber-attacks.

Always use anti-malware, but not only that...

I cannot stress enough that anti-malware is still a required piece of security defense in your arsenal of controls. I agree beforehand that anti-virus is pretty much dead (well, almost), but anti-malware and anti-exploit is not. So you will need to have anti-virus, anti-malware and anti-exploit for both unknown and known pieces of malicious code on pretty much every node.

For instance, Windows Defender for the consumer only does anti-virus and -malware for known pieces of malicious code. It does not cover anti-exploit and does not cover unknown stuff. From a security perspective it is a weak protection (although better something than nothing).

There are both business and consumer security solutions that cover you on all elements of untrustworthiness. And please install those tools on every Operating System for which there are such solutions. Windows, Linux, macOS and likely also Android and iOS if there are any for them. The reason is twofold.

One is that of preventing cross contamination. Why not stop Windows malware from spreading through email while you are working on a Linux or macOS environment? It's called herd-protection. It's nice of you to not forward malware to friends, family and co-workers. Really, they will appreciate it!

Two is that of there might not be viruses for Linux and macOS, both of the Operating Systems can be infected with malware or exploited through exploit-kits by hackers. Yeah, it's possible, really! Assuming you are safe with a non-Windows endpoint is the first step on the road to epic Security failure and in all fairness, it shows lack of awareness.

Never ever work under administrative privileges...

One of the key mantra is to never ever work under administrative privileges. Always use UAC (User Account Control) or separate administrator/root-accounts. System modifications should not be possible with the account you use for daily driver (such as Internet, Office and what not).

Never ever do your maintenance work from an endpoint which has direct access to the Internet. Malware installing using privileged accounts is a headache to overcome, because it spreads so easy to other nodes. Especially with privileged accounts that goes beyond being a local administrator.

And while you are at it, always change the default password of privileged accounts of everything.

Use a firewall!

Say what? Yeah I said it. Use a firewall. In your network (for home-users it is often the router) should always be a firewall. Depending on budget it can be either a smart and expensive one, or basic and cheap/free one.

A firewall helps limiting traffic that should not be there. It can help preventing traffic getting in from sources outside, and when configured properly (i.e. by disabling UPnP) it can help prevent traffic going out that should not go out. It's about hindering communications to the command and control server of the malware, which is nice for you and others.

On many Operating Systems there is a so called Local Firewall. Enable it (or at least don't disable it). Most often you can configure it to your needs and let it help limiting the options to break into or out of the system. That's is nice, because you don't want your other systems getting infected.

Firewalls of any type by themselves are by far not a guaranteed solution, but they can help prevent infection or prevent spread of the infection through the source of Internet. Again, people will appreciate it!


Below is a small summary of my points above.
  • Always apply patch management and life cycle management.
  • Always utilize anti-malware, -virus, and -exploit solutions for both known and unknown code.
  • Never do daily work with a privileged account, never use such an account while connected to the Internet and always change the default password.
  • Use a network firewall to limit inbound and outbound traffic that should not be there. And use a local firewall for the same purpose.
There is far more that can be done of course and you should never lay back and think that you are done.  But when you really have the controls in place, you can call up your CEO, CTO, CIO, CFO or whatever C-level manager and say that in the case of an ongoing global attack nothing more can be done. While spreading a subliminal message for more budget to increase the capability of Security Incident Response.

And in the meantime I'll just look out the Cyber-window and cry, yet again, over cryware rampaging in our Cyber-world which affects our Physical-world.


Post a Comment