WannaCrypt and Petra: Lessons Learned

Lots of talk about the lessons that should be learned from the recent spate of ransomware out breaks, namely WannaCrypt and Petya.
I think one of the main lessons learned is that the security services shouldn’t be hoarding zero days and tools to exploit them, (especially) if they can’t properly secure them.

The thing to remember, however, is that WannaCrypt and Petya both had patches available (probably because Microsoft where tipped off in advanced) before they hit and both also took advantage of poor configuration.

Additionally, many organisations that were hit hard could have avoided some (possibly all) pain if they had standard belts and braces security practices in place.

The main lesson organisations should learn is that they should get the basics right.

For example:

Vulnerability Management

Conduct regular vulnerability scanning, understand the security posture of all assets and what vulnerabilities are present, what threats are related to these vulnerabilities, and what risk they pose to the IT estate and the business it serves.
This includes both missing patches (i.e. MS17-010) and poor configuration (i.e., having SMBv1 enabled).

This should all be supported by proper processes that allow for ongoing discovery, remediation of vulnerabilities (either via action or risk acceptance) and confirming remediation.

Ideally, all risks across the entire IT estate should be known about and managed.

Additionally, roles and responsibilities should be assigned to ensure that all of the above is done correctly. This includes security managers, security analysts, vulnerability managers IT technicians etc.

Patch Management

Ensure that patches are deployed in a timely manner. This doesn’t just mean pushing the latest Patch Tuesday patches. This also includes understanding what software you have in your IT estate and having a full inventory of assets to make sure everything is patched.

Removable Media Controls

Ensure removable media is limited to devices that are sanctioned only. Ideally, I would blacklist all removable media and whitelist anything that you approve. (This is just my view, however)

Malware Prevention

Ensure you have some kind of AV on all end points, at least the classic heuristics and definition based AV (although there are more advanced solutions available), and make sure it is up to date and working.

Disaster Recovery

Ensure you have backups, including off-site, off-line backups of critical data.

Incident Management

Ensure you have a plan to react to a major security incident; ensure you have the right people in the right places supported by the right processes.
Control User Privilege

This one goes without saying really: make sure that all users have the least amount of privilege possible. This should be supported by processes to ensure that this is audited regularly.

User Education and Engagement

Ensure all staff understand the security policy of your organisation. Conduct exercises such as phishing campaigns to test your users and provide training to allow them to understand the risks involved and be better prepared to spot pushing emails, pushing web sites, social engendering etc. (Again, this is just a view, some people may suggest that security shouldn’t be a user problem; it should be an IT problem)

Good Network Security Hygiene

Have the correct access controls, know what is on your perimeter, ensure you have properly configured firewalls at all appropriate places in your network (with regular rule audits and reviews), have IDS/IPS where required and make sure that VLANS are properly setup with as much segmentation as is required. Ensure that all remote users can connect securely and that any devices they connect from have at least 1-to-1 patch levels as devices already on the network. Also, make sure that you have robust BYOD controls.