Over the past few days, cyber threats and cybersecurity have taken center stage for business and government organizations alike. The ‘WannaCry’ Ransomware does not discern between businesses, governments, or individuals and continues to be a significant threat to computing environments since it began its assault on Friday. According to the FBI, this new form of ransomware, “has impacted numerous organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.”
The ransomware trend will continue to get worse. It is important for all companies, both large and small, to have a strategy to protect and recover from ransomware attacks. No one wants to see any organization or person fall victim to these attacks. Whether you are a CenturyLink customer or not, we are providing the strategic and immediate steps for you to take now to help protect your organization.
Please read the steps below carefully and incorporate them as you move forward with protecting your environment.
- Ensure that critical systems are backed up regularly, and that the backup files are not accessible from the original source. This backup is your ‘fail-safe’ in the event all other protections fail. Quick Tip: If you can access the backup files from the system being backed up, there is a chance they will be destroyed.
- Use spam and malware email filters to prevent phishing or malicious emails from reaching the end users. Implement a very strict attachment policy, and forbid executable attachments from being delivered.
Quick Tip: We suggest blocking the following file attachments: .ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .ISP, .JAR, .JS, .JSE, .LIB, .LNK, .MDE, .MSC, .MSI, .MSP, .MST, .NSH .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, .WSH.
- If you operate your own mail server, authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Install Antivirus (AV) software, and ensure it is configured to automatically update. Configure your AV to update at least every day, multiple times per day if possible.
Quick Tip: With changes in how AV software is developed, updating modern AV software often is more important than scanning your entire hard drive. It is ok to scan your full hard drive once a week.
- Ensure your computing systems are patched regularly.
- Implement the principle of least privilege for all user accounts and file access. No users should be assigned administrative access unless absolutely necessary.
While the above will help protect your organization from all types of ransomware, there are some specific steps you can take immediately to protect against the WannaCry Ransomware attack:
- Deploy the patch. Deploy the MS17-010 patch WannaCry exploits a known Windows vulnerability in the Server Message Block (SMB) service to propagate to other machines. While this will not prevent every infection, it will significantly limit the spreading of the ransomware internally.
- Block specific ports. Ensure that Transmission Control Protocol (TCP) ports 139 and 445 are blocked on the external-facing firewall. Again, this will not prevent every infection, but it will prevent infected computers on the Internet from spreading the worm inside your network.
- Update intrusion detection. Ensure Intrusion Detection Systems (IDS) are able to detect and alert on the ‘ETERNALBLUE’ exploit, which is one method used by WannaCry to propagate.
- Check your filters. WannaCry is propagating through multiple methods; the two most common are phishing emails and the Server Message Block (SMB) vulnerability (MS17-010). Make sure your anti-spam and phishing software is updated to detect the latest threats.
- Communicate to your employees. Remind/train your employees to be wary of emails containing links. Get in front of your employees now and remind them of the threats and the steps they should take immediately to protect themselves and your organization.
CenturyLink’s long-term strategic partner, RiskSense, led the global effort by having one of the first initial code releases to detect these vulnerabilities, shortly after the MS17-010 patch and about three weeks before the Shadow Broker exploits went public.
While many enterprises have the staff, tools and resources to respond to threats like these and are capable of implementing many of the controls listed above, there are others who do not have the skills, resources, or knowledge to implement or maintain a secure environment. Others may not know what potential threats (vulnerabilities) already reside in their environments – including this most recent attack.
If you fall into one of these categories, CenturyLink wants to help. Through the CenturyLink/RiskSense Platform, or our Managed Security Services (MSS) platform, we provide the services and resources that can help you detect and remediate this and other future threats.
- Perform regular vulnerability assessments at least quarterly, but as often as practical.
- As CenturyLink/RiskSense Platform users, clients can simply leverage a common filter called Windows SMB RCE, under the ‘Network Remediation’ page, which shows all affected hosts and associated vulnerabilities.
- CenturyLink can perform extensive vulnerability assessments and provide the mitigation planning and implementation services to remediate known vulnerabilities.
- Perform regular penetration tests. No less than once a year, but ideally as often as possible/practical.
- CenturyLink offers penetration testing services utilizing the CenturyLink/RiskSense Platform and provides our clients with a detailed visual report depicting every attack path that could be utilized to compromise the client environment. Additionally, CenturyLink identifies the remediation steps necessary to eliminate these threats
- Clients can use this information to perform the remediation themselves or can enlist CenturyLink to assist or complete the necessary actions
- CenturyLink Managed Security Services include 24×7 surveillance of client environments, providing real-time detection and alerting on real or suspected threats impacting our client’s environments. Services include:
- Monitoring services including log collection, correlation, and analysis
- Detection and Alerting services when threats or vulnerabilities are identified,
- Response services including on-site deployments when required, and
- Vulnerability management as a part of our managed security service on a much more continuous basis than traditional periodic assessments
When faced with a global threat of the magnitude of the WannaCry attack, enterprises should look to a service provider who has the proven depth of knowledge and skill to effectively protect their enterprise. CenturyLink/RiskSense have proven our teams’ leadership skills in the area of detection and remediation of these high impact, zero-day threats. These and many other security services are available to our clients as either consulting or managed services, and can be found on our website at:
In summary, please take a look at the steps listed at the top of this blog; both the strategic steps and the tactical/immediate steps that you should consider immediately. Whether you are a CenturyLink customer or not, we do not want any organization to ever be the victim of an attack.
If you think CenturyLink can help you, today or in the future, with the incredibly challenging responsibility associated with protecting your organization from these constant threats, please let us know. We are genuinely here to help.
CenturyLink Chief Security Officer
Important Links and References:
For more information about the MS17-010 vulnerability, please see the Microsoft TechNet article at: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
For a more technical analysis of the WannaCry ransomware, see https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
Footnote: FBI Flash newsletter released on May 13th, 2017 (MC-000081-MW)