This week there is considerable coverage of a major company being afflicted once more by WannaCry.
It’s been about a year since the initial wave of WannaCry outbreaks spread across the world. In the UK, the NHS was affected to such an extent that it exposed how far cyber security practices, and infrastructure planning, had faltered.
In the case of WannaCry, patches for most Windows systems were released by Microsoft in Quarter 1 of 2017. An emergency patch was released by Microsoft for Windows XP systems around May of that year. The release of a patch for Windows XP, then long out of support, was a significant step by Microsoft and confirmed the significance of Windows XP in corporate infrastructure.
Obsolescence management is difficult
It is surprising that a major technology-oriented corporation could be afflicted by such software nearly a year since the initial outbreak. This time around they had patches available, with the surrounding analysis and advice, which makes the development all the more surprising.
Then again, in a very small set of circumstances it’s not unusual to run obsolete or unpatched systems such as Windows XP or Windows 7 systems, particularly when the products they form a part of, or support, are long-lived systems that could be in service for decades.
In an ideal world, applications and their operating systems would continuously upgrade. Vulnerabilities would remain so until the next regular patching cycle.
Applications that run on platforms such as Windows XP potentially come with their own obsolescence issues and create a web of dependencies on other libraries and other systems.
It may be difficult or next to impossible to upgrade an obsolete platform due to an obsolete application that forms part of the product whose developers are no longer in business.
This of course should spur-on upgrade or replacement strategies to address the risk, so it can only ever be a temporary situation. Mitigation strategies are crucial in managing obsolete software and/or hardware.
These and commercial factors often make the security management of obsolete platforms challenging and far more complicated than might appear at first glance.
Technical strategies to minimise risk
The selection of security controls to treat obsolescence risks in such circumstances is essential. So what can security practitioners do to ensure ransomware does not afflict an enterprise network?
In this series of blog posts, I’m going to discuss various strategies that could be potentially employed in a corporate infrastructure to help prevent ransomware from getting a hold.
There are no doubt many other steps that can be undertaken. Of course, all of this is dependent on corporate risk management practices, existing controls, and risk appetite.
Obsolescence should be managed using a defined process. Design operational processes that have Obsolescence Management (OM) built-in from Day 1. This process should address all stakeholder requirements and ensure obsolescence issues are highlighted early, allowing time for the business to make decisions.
The only realistic way to manage obsolescence is to consider how it will unfold in the longer term, by forecasting.
For all software products and systems, maintain a register (machine or hand generated) containing end of support data. Use this to forecast when products will go out of support, and initiate refresh plans in good time.
OM processes are relatively straightforward to implement, and extensive COTS security products for small systems are not necessary.
Use a recognised risk methodology to provide continuous risk management. Very few organisations are able to do this well.
If the organisation does not operate an adequate risk management process that assesses risk and selects appropriate controls, it will prove more difficult than necessary to manage risk.
Continuous management of risk is essential. While a review of security practices in response to, for example, a ransomware infection is beneficial, risk management should be in operation at all times.
It’s important to ensure risk management delivers tangible value and gets traction.
Harden anticipated entry points
Most threats will enter corporate networks through a known entry point that can benefit from hardening activities. These entry points include removable media, web traffic, file sharing sites including Cloud storage, and inbound email.
Browser hardening strategies, for example lockdowns through Group Policy, can help manage the risk of phishing, malicious sites, and drive by downloads.
Mapping the data flows from desktop applications through to the Internet or WANs can assist in identifying where checkpoints can be established to apply filtering.
Small companies and businesses should use an outsourced consultant to provide this capability, as it may require updates to the lockdown baseline and further configuration work to ensure new software operates correctly.
Manage browser plugins
Browser plugins are potentially another route through which a drive-by-download attack could be successfully achieved. Most users and companies do not manage browser plugins half as well as they could, and there can be many of them installed by various software products over time. Some may be obsolete and/or contain significant software vulnerabilities.
Ensure plugins in browsers are white-listed to help combat the use of insecure plugins. Ideally, plugins should be pruned if found to be out of date or vulnerable.
Plugin white-listing tends to involve updates to system configuration, e.g. via Group Policy. Small companies and businesses should use an outsourced consultant to provide this capability, as it will require continuous support to adapt the system configuration to emerging software requirements.
A good ransomware strategy uses multiple, potentially overlapping controls, to maximise coverage. Of course, a good ransomware strategy is simply a good security strategy, so building long-term continuous security management processes is the best solution overall.
In Part 2, I’ll be covering some more ground on potential ransomware security strategies, including network segmentation.