The PR pitches came hard and heavy all weekend, offering various security experts’ advice on WannaCry. My top takeaway? This is the same story I wrote about CryptoLocker back in 2015, with a few different riffs. Yes, WannaCry is particularly virulent (thanks, ShadowBrokers). But if customers had taken the advice shared by experts two years ago, and kept up with these best practices, they would be unscathed, because Microsoft patched the vulnerability WannaCry exploits back in March.
Let’s go over the basics again. Feel free to cut ‘n paste and send to customers.
- Keep all software up-to-date and patched. Most ransomware exploits known vulnerabilities for which software vendors have issued fixes. If you are running an unsupported (read: manufacturer no longer puts out security patches) or bootleg version of software, get a new plan. Looking at you, Windows XP users.
- Use a good e-mail spam filter service. Most malware gets in when an end user clicks on a link or downloads an attachment that looks legit, but isn’t. By weeding out a large percentage of phishing emails, a key benefit of spam filters, you reduce the odds of a user being fooled. It’s simple math.
- Educate all end users regularly, and have a signed security policy. Data security is not the job of the security team. It’s up to everyone. Schedule monthly or quarterly lunch-and-learn sessions where an IT team member or your service provider goes over the latest phishing techniques. Have all employees, from the CEO on down, sign an agreement covering expectations. You don’t need to start from scratch; Google “security policy templates” and you’ll find plenty of companies offering help, or for a free DIY template, look for the SANS link.
- Have an isolated backup plan. Unfortunately, some malware will sit idle on your servers for a length of time in an effort to encrypt backups, so keep isolated, point-in-time snapshots. Continually overwriting means you will back up the malware. Ask your backup and disaster-recovery provider about isolated recovery solutions that are stored in an off-site, secure location that’s walled off from production facilities. Learn more here.
- Test your disaster-recovery plan regularly. Could you wipe systems to bare metal and start over, while keeping employees productive in a pop-up environment? That’s the best-case response to the worst-case ransomware scenario. However, once the clock is ticking to pay up in bitcoin or lose data is not the time to find out if your DR plan works. Modern DRaaS providers allow for, and encourage, regular drills. If yours doesn’t, find one that does.
- Don’t think that because you use a public cloud you’re immune. AWS, Azure and other providers have a shared responsibility model. In general, from the virtual machine on up, patching and other security precautions are 100 percent the customer’s responsibility. Both AWS and Azure will send alerts if they see you doing something stupid, so pay attention.
- Follow and support industry efforts like #NoMoreRansom. Ransomware is getting more sophisticated. If an attack group really wants to take down a particular company, they can use malware that can penetrate a hard drive’s firmware or even figure out a company’s backup and data retention schedule and lie in wait. Industry consortiums like The No More Ransom project work to take down these groups and issue decryption keys. The site is an excellent resource for up to date information.
A few final thoughts: Be prepared with a bitcoin wallet, just in case. Don’t dither. Decide if it’s feasible to go to bare metal and restore. If not, pay up sooner rather than later. Circle back and find out how they got in — then close the door. Report the breach to insurers and local and federal law enforcement.
Follow editor in chief @LornaGarey on Twitter.