Pub. 5 2017 Issue 2

Issue 2. 2017 19 switches, it explains how you can monitor multiple network seg- ments without the need to remember what is connected to what switch port. If you don’t use Cisco switches, there is an excellent resource on the Wireshark wiki sitewhich looks at how to setup monitoring on other switches. Four things to monitor in order to detect WannaCry: 1. Check for SMBv1use 2. Check for an increase in the rate of file renames on yournet- work 3. Check for any instances of the file @Please_Read_Me@.txt on your fileshares 4. Check for any instances of files with theseextensions a. .wnry b. .wcry c. .wncry d. .wncryt There is one caveat though, this infection moves out like light- ning from patient zero, and all vulnerable machines are locked in less than two minutes, so monitoring alone would not be enough to stop this monster. Here is a videoshowing a machine on the left infected with MS17-010 worm, spreading WCry ran- somware to the machine on the right in real time. How Can You Stop Attacks Like These in the Future? Ransomware attacks like WannaCry are not going to become less frequent. This new global ransomware outbreak is going to spawn more copy-cats and inspire others to get more creative with their malware. We haven’t seen “the big one” yet, but this is close. Here are a few things you can to do put your organization in the best position to defend against or respond to major attacks like WannaCry: 1. Ensure you have a consistent, repeatable Patch Manage- ment program. Failing to patch your workstations, servers, and devices in today’s world is akin to signing your busi- ness’ death warrant. Patch your devicesreligiously. 2. Employ the highest quality Data Backup Program you can implement technically or financially. Backups today are CHEAP, especially compared to the cost of being unable to recover. If you can, back up to multiple locations (having both an online and offline copy is recommended), and test your backups regularly. 3. Deploy new-school security awareness trainingusing a product likeKnowBe4, which includes simulated social engineering tests via multiple channels, not justemail. 4. Check your firewall configuration and monitor all out- bound traffic to make sure no criminal network traffic is leaving your network. If you do not know how to monitor your internal or outbound traffic, consider investing in a Security Information and Event Management system (man- aged orlocal). 5. Disable and/or block SMBv1 on all machines immediately. See this guide from Microsoft on how to disable SMBv1, and/or block SMBv1 ports on network devices, including UDP ports 137, 138 and TCP ports 139, 445. 6. If your organization does not implement a Secure Email Gateway (SEG), consider adding SEG as an additional se- curity layer. Make sure your SEG is able to perform URL filtering and that it’s tuned correctly to yourorganization. 7. Review your Vendor Management Program. If you utilize third parties to manage your network, host confidential customer information, or provide critical, hosted applica- tions in the cloud, check withyour vendor to discuss how WannaCry may affect their organization or the availability of your information or systems. 8. Update your Incident Response Plan. Make sure your Incident Response Plan has procedures for protecting, detecting, and responding to ransomware attacks. Test your IRP frequently using real-world scenarios and update your plan with new discoveries or gaps identified intesting. How SBS Can Help If you are looking for some additional information around cybersecurity risk management, implementing cybersecurity controls, and Information Security Programs, SBS Information Security Consultants and IT Auditors have worked with over 1500 organizations across the United States to mitigate the risk of cyber attacks. If you are not sure what to do to prevent cyber attacks or to recover from one, SBS will work with you to make the best preventative or recovery decisions possible for your organization. Three (3) ways you can test your organization right now for cy- ber threats include testing your People, your Processes, and your Technology. SBS CyberSecurity is one of the largest resellers of the KnowBe4 phishing email assessment software, which helps train users on how to identify and mitigate phishing email attacks, as well as to assess that training in a low-risk, real-world phishing scenario. Learn more here: https://sbscyber.com/prod- ucts/sbsknowbe4/ You can also test your network for known vulnerabilities, making sure that all patches have been implemented on your network, with a Network Security Assessment. Learn more about your options here: https://sbscyber.com/auditing/net- worksecuritytesting/. Finally, you can test your processes (policy, procedure, and gov- ernance) with an External IT Audit. Learn more here: https://sbscyber.com/auditing/itaudit/ For additional information security updates or assistance with anything information security related, please visit us at www.sbscyber.com and let us know how we can help! . n Sources https://blog.knowbe4.com/ransomware-attack-uses-nsa-0-day-exploits-to-go-on- worldwide-rampage https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guid- ance-for-wannacrypt-attacks/ https://www.engadget.com/2017/04/14/shadow-brokers-dump-windows-zero-day/ https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ran- somware-map.html https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransom- ware-attack/ http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hack- ers-demanding-ransom/ http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html We haven’t seen “the big one” yet, but this is close.