Friday, May 12, 2017 was possibly the largest ransomware cyber-attack to ever take place. The attack involves a downloaded application delivered by e-mail. Once someone in the organization opens the email encryption of your hard drive(s) and data occurs, so you no longer able to get to the data. They will then notify you on how to contact them and pay the ransom, thus ransomware. There is no known recovery once the hard drives and data is encrypted. Paying the ransom only guarantees that you will have given a criminal and/or terrorist funds. Even if the code they give you to unencrypt you data works, you will no longer be sure they can’t return and do it again anytime they want to. Once the code is in your system you might as well throw the system away. They have stopped the spread for now, but this type of risk is always prevalent as long as you have electronic data records.
Protect yourself and your business.
To protect yourself perform the following actions immediately.
- Backup your system to a removable media device (USB, DVD, Cloud device, etc,).
- Update your Windows OS to include MS017-010 security patch.
- Update any antivirus/antimalware software immediately.
- Updates should be automated on personal systems, smart phones and pads.
- You should have this type of software on all personal devices.
- Do not rely on your Internet provider to provide this service.
- Implement a regularly scheduled backup plan with incremental daily backups.
- Create a separate account for your personal use and stop using the Administrator account except where required by software. Administrator has special privileges you don’t want your personal account to have in case it gets compromised/hacked.
- Use a cloud based backup service/software not a cloud based device to backup you system(s). Any shared device like a cloud based device will be affected by this type of malware.
What made this attack special is its ability to puncture through all types of security applications including Network and System specific software.
As general rules.
- If you use any internet service of any kind you are subject to being hacked.
- Automate the tasks that will protect your system and data as much as possible (Backup, Patching, and Software Updates).
- Never open an e-mail you are not expecting. Verify if you are not sure about who sent it.
- Never click an embedded link. Example: http://www.anything.com. Type it into the browser yourself.
- Never open an attached document or file without scanning it at a minimum.
- Do not trust any Facebook content or request as it is the most hacked platform in existence.
- Facebook, LinkedIn, Twitter, MSN, Yahoo, Instagram, Tumbler and Snap Chat do not provide user level protection to anybody. At best they scan for superficial issues not if the links, external content, or even members are free of damaging material.
- Always remember you are playing on the Information Super Highway and just like any Interstate there are good drivers, bad drivers and clueless drivers, so pay attention or suffer the consequences.
NOTE: Even if you run your business in the cloud you need to perform these actions. Your end user systems can compromise your Cloud data and services and replication will not protect you.
If you own or are responsible for a business and its computing resources you have quite a bit of work to do.
- For all of your End User devices (PC, Laptops, Smartphones, and Pads) follow the directions above about securing your devices. You can contact Texasonthego.com for help or hire a service to help you perform these tasks.
- Implement an E-mail scanning application and keep it updated. E-mail is becoming the most used attack vector for malicious characters.
- Make sure your infrastructure systems and services are being maintained, upgraded and secured as part of your Information Technology (IT) planning process.
- Patch everything in you Infrastructure effective immediately. Make sure the OS, Firmware, and all major applications are compliant to take current Security Updates. This may require forcing Software Vendors to implement patching to secure your business.
- Backup, Recovery, Archive and Business Continuity are not all the same thing. Know the differences and what your business need to survive this type of attack.
- Backup store a copy of your data on another device. Unless you restore from this information all it does is give you a possible static point you can return to. A daily, weekly, monthly and yearly plan should exist for every piece of data in your organization. Hard copy as well as a soft copy.
- Recovery is getting the system and data back to a production system. The time it takes you to archive this is important as it will play a role in all of your other processes. If you cannot get back to business in an acceptable time frame all of your other expenses are meaningless. Recovery Time Objective and Recovery Point Objective (RTO/RPO) are terms used to describe these processes.
- Archive is the long term storage of data and services, however it also covers what type of non-electronic records you need to retain. If archiving electronic records remember to keep a device capable of reading the format and data type stored, and if you cannot you will need to migrate your archives overtime as well. Most media over 5 years old is no longer supported.
- Business Continuity is how important are your electronic records and how do you keep your business running standard business hours or always on or in case of a disaster. Cloud technologies have made this easier, but there are limits to that technology like any other. Local replication and recovery sites also have advantages and disadvantages. Contracts and Service Level Agreements become critical in this area. You will still need Backup, Recovery and Archive in your Business Continuity planning even if your stated goal is always on and available.
- It is important to realize that even though the vector of attack is through e-mail, it is the Servers and Shared Data that is the target. The more people put out of work the better.
- Security patches of the OS on your Server Architecture is a must and in this case a known Microsoft issue as well as a TCP port exploitation were being utilized. Details can be found in the attached PDF file provided by the Cyber Security Defense teams.
- Antivirus and Anti-Malware software are available for physical and/or virtual sever systems (VM’s). Make sure you are protecting all the possible ways of attack. Virtualization does not protect you and if it gets past to the platform your VM’s are running on, all of you VM’s can be compromised. Cascade, every server on the hardware, failure will occur.
Note: The FBI recommended if you are attacked do not pay the random. It is a business decision, but you should follow the general practice of hostage negotiations. Paying does not guarantee that you and your data will be safe.