Cyber-attacks to the left, ransomware to the right

June 2017 Editor's Choice, Cyber Security, News

With Petya sweeping the globe and proving that we all need to be agile and responsive to the new unknowns, here are some tips for preventing future nasties like WannaCry and Petya which are now making use of ETERNALBLUE and related advanced exploit code.

Prevention tips

1. The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.

2. Many Windows systems are configured to automatically reboot if it crashes. You can disable this feature in Windows. If you can prevent the MFT from being encrypted, you can still recover your data from your local disk. 

Unlike WannaCry, Petya is a different kind of ransomware. Common delivery methods are via phishing emails, or scams. The payload requires local administrator access. Once executed, the system’s master boot record (MBR) is overwritten by the custom boot loader, which loads a malicious kernel containing code that starts the encryption process.

Once the MBR has been altered, the malware will cause the system to crash. When the computer reboots, the malicious kernel is loaded, and a screen will appear showing a fake Check Disk process. This is where the malware is encrypting the Master File Table (MFT) that is found on NTFS disk partitions, commonly found in most Windows operating systems.

It is when the machine is rebooted to encrypt the MFT that the real damage is done.

Protecting your organisation

Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.

• Consider disabling SMBv1 to prevent spreading of malware.

• Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.

• Ensure you have the latest updates installed for your anti-virus software, vendors are releasing updates to cover this exploit as samples are being analysed.

• Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share.

• Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.

• Operate a least privileged access model with employees. Restrict who has local administration access.

What strategic lessons can we learn?

We must take a step back and examine not only the what now? response, but also the what next? – in other words, what does the avalanche of malware and other advanced attacks tell us?

Our existing traditional trust models don’t work. With more critical assets moving to cloud, believing that the data centre is safer is a false philosophy.

• The idea that security practitioners can do any kind of one-time risk assessment and sign off is flawed, and opens the door for future attacks.

• Trust and risk require continuous re-validation, and a one-time evaluation/accreditation is no longer fit for purpose.

• Adaptive systems providing advanced monitoring and analytics are key.

We need to spend more – but on what?

The BBC has reported that there are calls for a massive increase in cyber security spending, and it’s certainly true that many organisations have avoided spending money on cyber security for some years. Elsewhere, CSO online has described the impact of not having nearly enough cyber security professionals. So, we need more competent, trained and enthusiastic professionals, and we need better systems that can analyse, detect and highlight threats requiring intervention.

A lot of people are throwing the ‘cyber’ word around now (and it does sound more fun that ‘IT Security’, or ‘Computer Security’). But cyber– has become a very wide term, including:

Secure software engineers

• Security evangelist

• Security architects (and there’s a wealth of division on what secure architecture actually is)

• Security operations engineers

• Incident responders

• Penetration testers

• Digital forensics specialists

• Network engineers who understand security

• Firewall engineers

• Application testers

• Wireless security engineers

• Risk management experts

• SecureDevOps

• Security awareness

Add to that, project managers, programme managers, administrators and the entire caboodle of corporate governance wrapping around the people at the sharp end. We know that budgets are limited (otherwise they wouldn’t be budgets) and so we need to decide what to spend our money on, and how to get the most out of our people.

Security and risk will be further discussed with local CTOs and CSOs at the Gartner Symposium/ITxpo taking place in Cape Town from 18 to 21 September.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Sustainability School opens for enrolment
Education (Industry) News Security Services & Risk Management
Three-part programme, first developed for Schneider Electric employees, is now available for free for companies worldwide. Attendees learn how to future-proof their businesses and accelerate their decarbonisation journeys.

Accenture Technology Vision 2023
Editor's Choice News
New report states that generative AI is expected to usher in a ‘bold new future’ for business, merging physical and digital worlds, transforming the way people work and live.

Cyber attackers used over 500 tools and tactics in 2022
Cyber Security News
The most common root causes of attacks were unpatched vulnerabilities and compromised credentials, while ransomware continues to be the most common ‘end game’ and attacker dwell time is shrinking – for better or worse.

Economists divided on global economic recovery
Editor's Choice News
Growth outlook has strengthened in all regions, but chief economists are divided on the likelihood of a global recession in 2023; experts are concerned about trade-off between managing inflation and maintaining financial stability, with 76% anticipating central banks to struggle to bring down inflation.

Success in business process best practices
Technews Publishing Kleyn Change Management Editor's Choice Integrated Solutions Security Services & Risk Management
This month we commandeer time with the woman who is spearheading our national conversation on Women in Security, Lesley-Anne Kleyn, to get to know the lady herself a little better.

Addressing the SCADA in the room
Industrial (Industry) Cyber Security
Few other sectors command the breadth of purpose-built and custom devices necessary to function, as the industrial and manufacturing industries. These unique devices create an uncommon risk that must be assessed and understood to fully protect against incoming attacks.

Recession or stress?
Cyber Security News
The economic landscape has seen many technology companies lay off vast numbers of employees, but for cybersecurity, the picture looks very different – a dynamic mixture of excitement, challenges and toxicity.

Vulnerabilities in industrial cellular routers’ cloud management platforms
Industrial (Industry) Cyber Security Security Services & Risk Management
Research from OTORIO, a provider of operational technology cyber and digital risk management solutions, unveils cyber risks in M2M protocols and asset registration that expose hundreds of thousands of devices and OT networks to attack

SAFPS to launch a platform to combat fraud
Editor's Choice News Security Services & Risk Management
In response to the growing need for a proactive approach to fraud prevention, the SAFPS is developing a product called Yima, which will be a one-stop-shop for South Africans to report scams, secure their identity, and scan any website for vulnerabilities.

NEC XON appoints Armand Kruger as Head of Cybersecurity
News Cyber Security
NEC XON has announced the appointment of Armand Kruger as the Head of Cybersecurity. Kruger will oversee all cybersecurity offerings including cybersecurity strategy, programmes, and executive advisory.