Cyber attacks to the left, ransomware to the right

1 August 2017 Editor's Choice, Information Security, News & Events

With Petya sweeping the globe and proving that we all need to be agile and responsive to the new unknowns, here are some tips for preventing future nasties like WannaCry and Petya which are now making use of EternalBlue and related advanced exploit code.

Prevention tips

Admin privileges: The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a standard user account for day-to-day operations.

No reboot on crash: Many Windows systems are configured to automatically reboot if it crashes. You can disable this feature in Windows. If you can prevent the MFT from being encrypted, you can still recover your data from your local disk.

Unlike WannaCry, Petya is a different kind of ransomware. Common delivery methods are via phishing emails or scams. The payload requires local administrator access. Once executed, the system’s master boot record (MBR) is overwritten by the custom boot loader, which loads a malicious kernel containing code that starts the encryption process.

Once the MBR has been altered, the malware will cause the system to crash. When the computer reboots, the malicious kernel is loaded, and a screen will appear showing a fake Check Disk process. This is where the malware is encrypting the Master File Table (MFT) that is found on NTFS disk partitions, commonly found in most Windows operating systems.

It is when the machine is rebooted to encrypt the MFT that the real damage is done.

Protecting your organisation

• Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.

• Consider disabling SMBv1 to prevent spreading of malware.

• Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.

• Ensure you have the latest updates installed for your anti-virus software.

• Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share.

• Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if an attack occurs.

• Operate a least privileged access model with employees. Restrict who has local administration access.

What strategic lessons can we learn?

• We must take a step back and examine not only the “what now?” response, but also the “what next?” In other words, what does the avalanche of malware and other advanced attacks tell us?

• Our existing traditional trust models don’t work. With more critical assets moving to cloud, believing that the data centre is safer is a false philosophy.

• The idea that security practitioners can do any kind of one-time risk assessment and sign-off is flawed, and opens the door for future attacks.

• Trust and risk require continuous re-validation, and a one-time evaluation/accreditation is no longer fit for purpose.

• Adaptive systems providing advanced monitoring and analytics are key.

We need to spend more, but on what?

The BBC has reported that there are calls for a massive increase in cybersecurity spending (www.bbc.com/news/uk-scotland-scotland-politics-40341339), and it’s certainly true that many organisations have avoided spending money on cybersecurity for some years. Elsewhere, CSO online has described the impact of not having nearly enough cybersecurity professionals (www.csoonline.com/article/3201974/it-careers/cybersecurity-job-market-statistics.html). So, we need more competent, trained and enthusiastic professionals, and we need better systems that can analyse, detect and highlight threats requiring intervention.

A lot of people are throwing the ‘cyber’ word around now (and it does sound more fun that ‘IT security’, or ‘computer security’). But cyber has become a very wide term, including:

• Secure software engineers.

• Security evangelist.

• Security architects (and there’s a wealth of division on what secure architecture actually is).

• Security operations engineers.

• Incident responders.

• Penetration testers.

• Digital forensics specialists.

• Network engineers who understand security.

• Firewall engineers.

• Application testers.

• Wireless security engineers.

• Risk management experts.

• SecureDevOps.

• Security awareness.

Add to that, project managers, programme managers, administrators and the entire caboodle of corporate governance wrapping around the people at the sharp end. We know that budgets are limited (otherwise they wouldn’t be budgets) and so we need to decide what to spend our money on, and how to get the most out of our people.

Security and risk will be further discussed with local CTOs and CSOs at the Gartner Symposium/ITxpo taking place in Cape Town from 18 to 21 September (www.gartner.co.za)





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Data security and privacy in global mobility
Risk Management & Resilience Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Mining (Industry) Risk Management & Resilience
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Risk Management & Resilience
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Risk Management & Resilience
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Risk Management & Resilience
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Read more...