WannaCry Post Mortem – Planning for the Next One

It’s been a very rough couple of days in cyber security world. It does appear that WannaCry was as bad as the predictions thought. The revenue generated (yes the hackers refer to it as revenue) is still growing. Unfortunately, crime pays in this era of ransomware.

As I walked out of the office Friday night before I thought about our internal environment and I was not very stressed. It wasn’t because we are an IT services company and “everyone’s an IT guy”. It was because of the countermeasures which we already have in place. I’d like to detail those countermeasures so you can see what we do in an effort so that you can have a bit less stress on your Friday night.

Security Awareness Training/Anti-phishing Exercises

The initial vector for infection for any ransomware are users clicking malicious links in emails. WannaCry is no different as this is also a very common vector. Our marketing team says I use the term “no-brainer” too much but this one truly is. Security Awareness Training is extremely cost effective for the numerous benefits. This type of training makes for smarter users and is a powerful tool for combating the next big cyber security affair.

Advanced Email Security

If you have no mail filtering or only the default from your mail provider it’s likely not enough. You need your provider to be in the business of repelling email-borne attacks and a feature that’s a nice-to-have. Specifically, a service that includes URL protection is key. If you are wondering if you have this even as someone who is not directly involved in your technology strategy, my answer is you know it when you see it. If you don’t see your email links like GoToMeeting or Webex being forwarded to another website before it loads, it’s likely you do not have this. It’s a good plan to ask the question directly to your IT staff or provider if you have this feature.

Advanced Security Services on Your Perimeter

This solution is known by many terms: Unified Threat Management, Gateway Antivirus, and Sandboxing. Regardless, the concept is that if the traffic coming into the network is being properly scanned, the threats stay on the outside. The firewall vendors released their protection signatures for this exploit several weeks ago. It’s highly unlikely that a user or server behind this type of properly configured device can be infected. As an aside, we’ve run into more than a few scenarios where a customer had opted not to turn on security services or simply forgot to turn it on. Our managed products come with these services enabled as a standard feature.

A Note About Post Infection Restoration and Bitcoins

Your best way out of an infection is restored from backup. Some disaster recovery products allow for a very fast recovery of servers. Typically, DR products offer a lot more than site replication and recovery from cyber-attack can be one of those hidden benefits.

When infection hits and you are without backup, many agencies recommend not to pay the ransom. This may not be realistic for some and we recognize that. We are in the business of helping business repel these attacks and we are not endorsing the payment of ransom. Now that I’ve added this disclaimer, I do believe every business should carry some amount of bitcoin in case of emergency. That emergency may not ransomware and if you attempt to acquire this type of currency in a hurry, it will be very difficult. Making a small investment in bitcoins may help you in other transactions and the global economy evolves.

As a final note, I want to encourage everyone who did not get infected to take a long hard look at this event. How much time prior to this did you consider what might happen if your business was infected? The time to budget for a smoke detector isn’t when your house is in flames. That is a dramatic situation but we see businesses underestimating their security protection regularly. Use this opportunity to improve your defenses by discussing what else can be done to prepare you for the next big one.