Written by Mike Parsons, CISSP, PCIP, IAM, IEM, HIPAA Certified
Senior Security Architect, Techgardens
The email situation alerts and the evening news were abuzz with the news of the latest round of malware. The new variant has been named Petya or NotPetya, depending on who you listen to or read. And once again, the attack is encrypting business files, effectively leaving organizations without access to sensitive and critical data necessary to the conduct of business. Again, the attackers are requesting a ransom be paid for the key to decrypt the data and gain access to data necessary to operate the business.
The idea of ransomware is not that new. There were attacks that held sensitive data hostage as far back as 2009. (See http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html ).
Today, these attacks have become more common and generally occur through a phishing email with a malicious payload or a URL to a compromised website. Ransomware is being taken more and more seriously because of the wide range of victims that have fallen prey. It’s impact on the ability of a company to continue operations or maintain the confidentiality and integrity of its data has been viewed as serious, and the Office of Civil Rights has ruled that covered entities and business associates under HIPAA must consider a ransomware attack the same as a data breach for reporting and incident response purposes.
This latest event was first thought to be a variant of Petya which has been around for about a year, but now seems to be a never before seen ransomware family. As a result, many researchers have given it the name NotPetya. Among the researchers actively investigating the attacks are analysts from Sophos, Kaspersky Labs and countless others.
Ionut Arghire of Security Week wrote Tuesday that known victims include the Ukraine central bank, Russian oil giant Rosneft, Ukrainian government offices and large communications companies and the US pharmaceutical giant Merk have been compromised. As the clock continues marching, more victims throughout the world continue to merge.
So why is this happening less than two months after the worldwide chaos caused by WannaCry? We learned then that WannaCry traveled via a NSA-linked SMB exploit named EternalBlue. We also learned that Microsoft had already addressed that exploit with MS17-010 which is discussed at https://technet.microsoft.com/library/security/MS17-010 and published March 14, 2017. Microsoft even went so far as to violate its published support policy and released patches for Windows Vista and XP.
How do you defend against this new variant – a first step would be to make sure all of your Microsoft powered assets have MS17-010 in place and any subsequent security patches. Following that, we encourage you to call us and talk about two very appropriate solutions we have to offer that can improve your risk management profile.
Traditional anti-virus is no longer an effective preventative control
Traditional anti-virus software depends on signatures and hashes that enable it to detect whether an attack is like the one experienced 30 days ago. Upon confirmation, the anti-virus has the ability to quarantine the new attack until appropriate remediation can be applied.
Unfortunately, the new generations of malware such as ransomware are more dynamic and can morph into new, undetectable versions or change the behavior and response of the attack to enable to evade remediation.
To counter the ransomware threat, Techgardens has partnered with Sophos to offer centrally managed endpoint protection that has components like InterceptX which have been specifically designed to address the specific attack methodology used by Ransomware. When confronted with an encryption component, InterceptX gets ahead of the encrypting process and removes files out of the attack path while it evaluates the process. If the encrypting process is determined to be malicious, InterceptX kills the process and restores the files it had saved out of harm’s way.
This endpoint protection is managed through a cloud-based console and includes a tamperproof switch that even prevents local administrators on the device from deactivating critical features or removing the agent. The console also provides a number of dashboards and reports that provide current status and event history on an agent by agent and component by component basis. The endpoint protection software itself can be an effective preventative measure for windows-based PCs, Macs, and mobile devices running Android or IOS operating systems.
We encourage you to ask us to demonstrate this capability to you and consider deploying this extremely effective and highly rated endpoint protection solution in your environment.
Sleep soundly at night with knowledge your policies and controls are working following Techgardens’ Vulnerability Assessment
As mentioned earlier, a prime preventative measure is to keep your operating systems and software current with patches released by the manufacturer. Operating system developers like Microsoft, Apple and open source communities such as those supporting Linux constantly receive commentary from security researchers regarding vulnerabilities discovered in their code. Most of the time, the developers act responsibly and promptly publish patches to remove those vulnerabilities. It is up to the business as part of its technology management process to apply those patches to remediate the known vulnerabilities.
But is your staff or IT provider correctly applying the policies and controls required by your organization?
Ronald Reagan is often quoted for using an old Russian proverb “Trust but Verify” after signing the Intermediate-Range Nuclear Forces (INF) Treaty with Mikhail Gorbachev. While combatting malware is not quite the same, the principles still hold. As a security policy maker in an organization, the CISO or CSO establishes policies to protect the organization which the technical staff is expected to follow. Without an ongoing program of monitoring adherence to those policies, the CISO/CSO cannot be assured that the policies are in place and working.
Techgardens stands ready to help in this process through its one-time Vulnerability Assessment or through a subscription service for vulnerability management. Our process is non-intrusive to the organizations and provides an easy to understand assessment. We use readily available tools to evaluate the preventive, detective, and corrective controls in place so that we can provide the organizational management an objective assessment of the risk profile of their technology.
The Vulnerability Assessment and the vulnerability management service subscription were developed to provide a tool for organizations to review their risk management profile before confronting a compliance audit and possible regulatory issues. The Techgardens security team is experienced in all aspects of network, server and device security and can tailor your assessment to a particular framework such as NIST, PCI-DSS, HIPAA or FFIEC if needed. During our review, we will examine policies, controls (preventative, detective and corrective) and evaluate whether they appear sufficient to allow you to meet best practices or a compliance yardstick. We will also recommend a tactical plan for you to help guide you in meeting organizational goals in light of the findings.
For more information about our Vulnerability Assessment, contact us today.
Want to understand how vulnerable your company is?
Download our Ransomware Checklist.
Interested in learning more about your risk? We offer a free cybersecurity review to help you identify threats to your organization. Learn more.