WannaCry 2.0 Malware Strikes Global Businesses
On Friday and over the weekend, a major piece of malware infected hundreds of thousands of computers, taking down everything from businesses to the U.K.’s National Health Service. The malware was called WannaCry 2.0.
Ransomware is malicious software that burrows into your computer and encrypts the files on your machine, keeping you from being able to access them. The malware’s creator then asks that you to pay a fee to unlock your data. WannaCry 2.0 uses a vulnerability in Microsoft’s (MSFT) Windows operating system to attack users’ computers.
The first wave of the WannaCry 2.0 attacks seems to have passed. But chances some hacker will repurpose the malware and send it back into the wild again. There has been some talk that the next wave could specifically target businesses, both large and small, in the United States.
Ransomware doesn’t just appear on your computer. It has to be downloaded. And while you could swear up and down that you’d never be tricked into downloading malware, cybercriminals get plenty of people to do just that. This typically happens by opening and clicking on links or attachments in an infected email.
That email you opened to get ransomware on your computer in the first place was specifically written to get you to believe it was real. That’s because criminals use social engineering to craft their messages. For example, hackers can determine your location and send emails that look like they’re from companies based in your country.
It’s not just email, though. An attack known as a drive-by can affect you if you simply visit certain websites. That’s because criminals have the ability to inject their malware into ads or links on poorly secured sites. When you go to such a site, you’ll download the ransomware.
How to protect yourself:
Software and OS Updates
The very best way to protect yourself from these types of attacks is to constantly update your operating system’s software and apps like Microsoft Office and Adobe Flash Player. For businesses, there are patch management systems that can monitor all of your business computers for outdated versions, automatically download the updates needed and then push them out from a central repository. No business owner has the time to constantly stay on top of the amount of updates needed to truly be protected. A software system designed to do this heavy lifting for you is the way to go.
Always maintain and test a reliable system to back up your files. You can either do that by backing them up to an offsite data backup service or by backing up to a near line storage or external drive. Some ransomware can infect your backups however so you will want to choose a business option rather relying on a Google Drive or other “retail” level system. If you’re backing up to an external hard drive, you’ll want to disconnect it from your PC when you’re finished.
Anti-virus software and Internet content filtering
An up-to-date and properly licensed anti-virus software will help prevent malware from becoming present on your machines. Internet content filtering will help block websites that are potential problems in the first place thereby lowering your chances of accidentally visiting one of these sites to begin with.
Find out just where you are with your technology
Technology should never be considered a “set it and forget it” part of your business. It takes constant tweaking, monitoring and maintenance to make your system reliable. You should strongly consider having a formal IT Security Assessment performed on your system no matter how large for small your business is as these formal scans can give you an excellent chance to find out just where you have vulnerabilities.
We can assist you with any of the above protection measures mentioned above. It is far less costly to be proactive than it is to be reactive. NOW is the time to find out, not later or…….after!
Many people and businesses think their systems and information are protected, but are they really?
In today’s connected environment you need to routinely assess the security risks to your network systems, computers, users and the information stored on your systems to ensure you have sufficient safeguards in place.
Let’s discuss some of the basic safeguards your business should have in place to protect your technology resources, users and information.
Firewalls are designed to protect your network systems and computers by monitoring and controlling inbound and outbound traffic based on predefined rules. They come in a variety forms (appliances, software, etc) and different capabilities. Some firewalls provide content/internet filtering capability designed to restrict or control the content a user is authorized to access. The rules configured on a firewall are generally adjusted to reflect business operation requirements and a business’ philosophy on acceptable content. Since intrusion and attacks methods are constantly changing you need to make sure you are routinely reviewing and updating your firewall settings, firmware and software. Failure to regularly review and update this first line of defense could expose your technology resources, users and information to attack or intruders and create an unsolicited security incident that could be damaging to your business and its reputation.
Anti-virus software sometimes known as anti-malware software, is computer software designed to prevent, detect and remove malicious software. Current anti-virus software can protect computers from such things as: trojan horses, worms, adware, spyware, backdoors and browser hijackers. Some more advanced software and other third party products can detect and remediate ransomware, rootkits and malicious browser helper objects. Since malicious software and its method of delivery seem to change daily you need to make sure your anti-virus software is constantly being updated to ensure your systems, computers and users are adequately safeguarded. Failure to constantly update this line of defense could adversely affect your business operations, impact users’ efficiency and productivity and/or unknowingly disclose sensitive information from your systems. Unsolicited security incidents such as these can be costly to your business. Locked or deleted information can be difficult to restore or costly to reproduce. The disclosure of sensitive information can have numerous ramifications ranging from the time and costs involved with analyzing how the disclosure happened and what information was disclosed to possible credit monitoring costs for anyone impacted by the disclosure and costs related to legal representation.
A security patch is a change applied to a technology asset, albeit hardware or software, to remediate an identified vulnerability or security weakness. A patch of this type is issued by the hardware or software vendor to prevent the successful exploitation of an identified vulnerability and to remove or mitigate the specific weakness. Since security patches can be released by hardware and software vendors at any time it is imperative that these be tested and applied as soon as possible after release since once a vulnerability or security weakness is identified hackers attempt to exploit those vulnerabilities to gain access to effected technology resources.
First and foremost, information technology security is everyone’s responsibility. This includes anyone that has access to your technology resources and information. It should include not only employees, but contractors, vendors, consultants and cloud providers of services. Your business should have a written acceptable use policy that clearly defines acceptable and unacceptable use of your technology resources. It should address areas like password requirements, prohibiting the installation of unauthorized software, accessing personal email, occasional personal use, locking or logging off a computer before leaving an area or leaving for the evening, accessing or using cloud storage services, etc. It should be routinely reviewed and updated no less then annually. The policy should be provided to and personally acknowledged by all users of your information technology resources. An enforcement and sanctions provision should be a part of your policy so users are informed of the ramifications for non-compliance. All users should be routinely educated on the code of conduct they are to follow while using your business’ technology resources. There should be a designated point of contact for security related questions and the reporting of all security related incidents. All users of your technology resources should be educated on the process for reporting security incidents however trivial the incident may appear.
The longer you wait to assess your information technology security position and address weaknesses, the more likely it is to become a problem. If you would like some guidance or assistance with assessing your information technology security position, please contact us.
Having secure remote access is not convenient. To provide secure remote access, you must have a multi-faceted system in place with at least a two-level authentication method to allow users into your network and avoid giving access to unwanted users.
If you think about your network like a home, consider there are windows and doors in your home that allow you and others to enter and leave. You put locks on the openings in your home to control who enters and keep unwanted visitors from entering. Security on your network is based on that same simple principal. There are vulnerabilities in computer networks that must be “locked down” to control who has access to them. We find that many business owners are not aware of the vulnerabilities they may have in their network and computer systems because they don’t know enough about remote access or what their “doors and windows” are.
“In today’s environment, teenagers are able to hack into your computer system.”
Security and secure systems should be a deterrent for random people to hack into your network and computer systems. The more secure and inconvenient it is for someone to hack into your system, the more likely they will move on to the next system that is easier to get into.
Here are basic best practices for implementing secure remote access to your network and computer systems.
Remote User “Requirements”
- Use Business-Owned Devices – Remote workers using company-owned computer and mobile devices so you can dictate security policy on that computer is a major requirement. At no point should they be using their own computer, installing their own applications on it, or using it for personal reasons. As a business-owned computer, you have the right and ability to monitor the security and configuration of that unit. If it’s someone’s personal computer, you don’t have the right to do that.
- Encrypted Devices – All remote access computers and phones should be encrypted. Users must enter a password to enter the device. If the device gets lost, it should be configured so that it is automatically rendered useless.
- No Public WiFi – Remote users should use their own phone hotspot or MiFi devices to connect to the Internet. Users should not be using public WiFi. Your IT manager can configure these devices to ensure these hotspot applications are set up. Remote users should not use hotel or restaurant WiFi as these may not be secure.
- Encrypted Connections – Some level of security software should be in use (Virtual Private Network – VPN, or other) to ensure that the physical connection from remote to host is secure.
- Avoid Using Freeware or Shareware Solutions for Remote Access – Remote users should not use free versions of Team Viewer, VNC Viewer, etc. Opt instead to use the purchased versions of these applications, if necessary, and ensure your IT manager has control over how they are configured.
Best Practices for Business Owners
- Ensure you have remote access to this computer to apply security updates to it on a regular basis.
- Ensure that utilities set up so that you may remotely monitor these devices to ensure they are being used according to company IT security policies.
- If you’re concerned about employee productivity, software can be installed on the devices to track employee productivity.
- If you’re concerned about employees accessing social media, personal email, or other sites from company-owned devices, software can be installed that can filter content when remote users browse the Internet restricting their access to these areas.
Remote access is one component of your overall IT computing environment. Kenneally Technology Services can review your remote access capabilities to see what improvements are needed to ensure your systems and data remain secure. An IT security assessment will help you ensure your networks vulnerabilities are eliminated and “open doors” are locked down.
This question can be easily answered be asking yourself if you have not had one performed for you in the last year or ever. If that is the case, the answer would be unequivocally YES!
IT and computers, like many other facets of your business, are not “set it and forget it” devices like a fax machine or a stapler. IT systems have changes being made to them on a daily basis and must have regular attention paid to them in order to keep them from harm’s way and your system running smoothly. Just because something terrible has not happened to your IT systems yet does not mean that your system is forever free and clear and does not need any attention. It really means that you been dodging the bullet and the inevitable significant “game-changer” is not far around the corner.
The most common items that are overlooked on a network / IT system and which can cause major issues are user password policy (passwords not set to expire on a regular basis, not required to be 7 characters or better), system security updates policy (is there an actual plan for regular deployment of updates?) and end-user awareness training. Believe it or not, not addressing or forgetting about these mundane items are what the Internet “bad guys” are hoping for. These are the sort of vulnerabilities that they love to see—old user accounts not disabled, users with easy to guess passwords and in the case of MedStar Health—an unpatched network server and workstation.
You may be saying to yourself that “we are just a small entity” no one wants our data or information.” On the Internet, however, your network is just a number (IP address) much like a house address is to the post office. Your “house” has windows and doors which are called ports.
Do you even know where your Internet firewall is located in your office and how do you know whether your Internet protection device is up-to-date with the latest security firmware updates?
Of the most important security devices in your office should not go unchecked for months or even years. You should keep this unit up-to-date with a support contract from the vendor and by applying regular firmware updates. Having it tested with an external penetration test is equally important.
How old it is or is it even a supported device with the hardware manufacturer any longer?
Your security appliance / firewall should be replaced as often as a desktop computer – every three years or so to ensure that you are taking advantage of the latest security and protection technologies.
Internet ports are only a small fraction of the way risks can be introduced into your network.
Other items at which to look are (and there are MANY more than these):
Poor Data Backup Strategies / Disaster Recovery
Is there even a plan to test the backups or a plan to recover from a significant IT security event? You should have a layered approach to data backup and it should be automated, not manual, and should also include some sort of disaster recovery data restore option.
Remote Access / Employees in the Field / Cloud Computing
Are users in the field or working from home offices updated on a regular basis? Are they using public hot-spots for Internet access? Data in the cloud seems nice and convenient but who is looking at your data as it resides on the vendor’s servers? Have you reviewed your service level agreement with your vendor? What happens if they have a “gotcha” virus moment like a large entity like MedStar? How long does it take to get your data back if the vendor gets bought out by another company and the new company discontinues your cloud offering as a way of killing the competition?
Your business should have a well thought out and concise remote access policy for remote users and the computers that they use should be company-owned so that your IT personnel can dictate security policy on them.
Is there a company-wide policy for use of smart-phones and remote data sync? Do the phones even have the security lock feature turned on? On an iPhone, if not, the data on the phone is NOT encrypted. Same as with remote computer users, the smartphones that your company employees use should be company owned and administered. You cannot tell your employees to be smart and security aware if you do not own it.
Is there an employee who is not happy about not getting a promotion? Did he /she have a greater level of data security access than they should have given their job description? Threats from within should be of great concern. You need to keep your finger on the pulse of your staff and to have formal policies as to what needs to be done from an IT perspective before you make someone an ex-employee.
So, to answer the question presented to you at the beginning of this post, “How do I know if my company needs a computer IT Network Security Assessment?” With all of the moving parts of an IT system, the better question is, “Can I afford not to?”
Ransomware is a type of malware that prevents or limits users from accessing their system or data. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to unlock their data.
Users may encounter this threat through a variety of ways. Ransomware can be downloaded by users by visiting malicious websites. It can also be downloaded by other malware. Some ransomware are delivered as attachments to spammed email. Once executed in the system, a ransomware can either lock the computer screen or encrypt predetermined files with a password. Once infected, the malware shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files.
Attackers may use one of several different approaches to extort money from their victims:
- After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever. These ransoms are often required to be paid in hard-to-trace Internet currency.
- The victim is tricked into believing he is the subject of a police investigation. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
- The malware encrypts the victim’s data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.
Security companies first identified the CryptoLocker attacks in September 2013, believe that the virus struck 250,000 computers in its first 100 days. Other security researchers believe the latest versions of ransomware were created by hackers in Eastern Europe and Russia. The hackers conceal their identities by deploying the virus through the dark web. The dark web, an unindexed arm of the Internet, allows users to bounce their communications through multiple computer servers to make them nearly impossible to trace.
The hacker infects computers by sending tainted e-mails that appear to come from the FBI, local police agencies or package delivery services such as UPS and FedEx, or in PDF attachments. When the user opens the e-mail or file, the virus infects the PC. The hacker will also implant the viruses on websites, then try to lure people there, often with pornography or the promise of free items.
The best way to combat a CryptoLocker virus or other ransomware is to establish a line of defense by using paid-for security software from a reliable security software vendor. Keep both the application and virus definition lists up to date. Virus definitions are the lists of malware and viruses that the program knows how to address. Using a spam-blocking software or spam hardware device will limit the amount of tainted emails that reach your inbox in the first place.
Last, but certainly not least, always make multiple copies of your data. The best way to recover from a ransomware virus is not to give in and pay the ransom, but rather wipe the hard drive of the infected machines, reload, and then restore the data. Sometimes having principals and not paying the ransom is not the easiest way, but it’s the best way!