Questions to ask before the next WannaCry


If your inbox or social media feed is anything like my own you'll have probably been inundated with a stream of marketing material following the WannaCry(pt) outbreak last week. Amongst all the vendor bragging, claims and offers of free trials and assessments I've seen a lot of good advice from security professionals. The message is clear enough to sum up in one sentence for technical staff - patch, manage your network, do the basics. For security practitioners, this advice is a message they've repeated enough to become mantra.

I thought then it might be useful to look at this recent event through a different lens and provide a pocket guide for Business Managers looking to assess the situation and provide Business Owners with an understanding of their exposure. This can be used then to identify what help (if any) your technical teams need.  Clearly, a disconnect still exists in many organisations between risk owners and technical staff.  Below is a series of questions which can be sent to the relevant people within your organisation along with some guidance for interpreting their responses. There are no trick questions and any negative of incomplete responses should raise a red flag. 

 These are by no means represent a definitive assessment (nor is it intended to be). Rather, it should highlight the key risks which those organisations effected by WannaCry failed to address in time.


Vulnerability Management 


This can be a daunting topic, especially for the less-technical - but it doesn't have to be. Equipped with these questions and you can identify the weaknesses that might have led to your organisation succumbing to this incident and set about addressing them. 

Ask yourself these questions:

  • Are we installing software updates from Microsoft (and other vendors) in 14 days or less? 
  • Are we capable of installing updates remotely and automatically?
  • Does someone have to log on to systems (as an administrator) to install updates? 
  • Can we reboot ALL systems after installing updates? 
  • Are we capable of testing that these updates are received and installed on ALL systems?
  • Are we capable of identifying ALL systems that AREN'T getting updates?
  • Have we taken steps to isolate ALL these systems? 
  • Do we have a process to roll these same updates into our build processes so that new systems are up to date when they are built?
  • Do we have (and use) documented standards for building, configuring and maintaining systems?
  • Has ALL of the above been independently verified? 
  • Have we asked / checked ALL OF THE ABOVE with ANY 3rd parties which have access to ANY of our systems or our network? 
Guidance: Systems typically fail to receive security updates when the processes for doing this fail or the systems themselves are deployed in such a way that any downtime or interruption will result in an outage the business may deem unacceptable. 
Business lines should be robust enough to withstand outages and managers should look to support technical teams with pre-approved outage windows and you should promote the development of healthy 'roll-back' procedures rather than insisting on lengthy testing for security patches. The process of applying updates should be a scientific one, and technical teams should verify that patches have been successfully applied through reporting and the use of vulnerability scanning tools. Tooling should be employed to patch systems en masse wherever possible as patching systems one by one, by hand, is unsustainable. All systems should receive all patches within days because threat actors can weaponise vulnerabilities to those timescales. 
Source: Microsoft



Cyber Defences 

This can be a complicated area, especially for the non-technical. Typically referred to as 'controls', organisations have available to them families of countermeasures designed to detect or prevent security incidents progressing in the event that Technical Hygiene fails. Some of these will be known to you, like anti-virus, firewalls and web filters. Others might be unfamiliar to you, like Intrusion Detections Systems (IDS), Anti-exploit protection and Sandboxes. There is no silver bullet, despite what many vendors claim.
Source: Sophos

At the very minimum you should ask these questions:
  • Do all systems, irrespective of Operating System or manufacturer have anti-virus installed?
  • Do all these systems receive updates and do you have visibility of this?
  • Can you identify systems on your network that DON'T have antivirus installed?
  • Can you identify systems that have antivirus installed which aren't receiving updates?
  • Do all of these systems log antivirus alerts / events centrally or to a cloud service?
  • Is someone actively reviewing antivirus alerts / events?
  • Do you ever test if the antivirus product is working correctly?
  • Do we restrict access TO and FROM our network to the internet?
  • Is our network divided so that systems that don't need to access others, can't? 
  • Do we have any services exposed to the entire Internet?
  • Do we perform regular Vulnerability Scans of these exposed services? 
  • Have we ever performed a Penetration test with these services in-scope? 

Guidance: Aligning your organisation to a security controls framework is the most effective way of identifying realistic and practical options as well as the best way to navigate the complex world of security marketing. The Centre for Internet Security (CIS) now maintain the Critical Security Controls (CSC), which used to be called the SANS 20. This no-nonsense framework should provide sufficient structure and detail for orchestrating your cyber defences. 

Perform a gap analysis against the standard as-is then use the control objectives as the minimum requirements when defining your desired to-be state. If you lack expertise in-house, engage professional services but be clear with your requirements. Most will offer managed services which you should consider if you truly lack expertise in-house. The security industry is 1.7M professionals short of current demand - you should have realistic expectations when looking to address your gaps in head count.  


Incident Readiness

As important to controls is knowing what to do when they alert you to an Incident. Incident Readiness or Incident Response is the ability to effectively react to the detection of an issue or intrusion. This takes preparation and practice.

 Ask yourself these questions:
  • Do we have defined security incident plans? 
  • Do we rehearse and test these plans through simulations or 'tabletops'?
  • Are we confident that our preparation can accommodate for 'real-world' incident scenarios? 
  • Can we perform root-cause analysis against incidents and identify weaknesses?
  • Are we confident that our plans have been adapted and improved following incidents?
  • Do we have arrangements in place to utilise 3rd party IR resources if needed? 
Guidance: If your controls are lacking then it's reasonable to assume you IR capabilities are in a similar state. Don't confuse incident response with business continuity or DR - having plans to inform your customers of service outages and restore things quickly is important​ but it's not the same as being able to identify and respond to an intrusion or malware
propagating through your network. Treat these adversarial situations as exactly that. Understand your capabilities for going toe-to-toe with the bad guys and train for that eventuality. You can't start down that path once you're in the ring. Use war games and table tops to begin with before upscaling to simulations and even full red-team assessments. I wrote a post recently about Simulating Incidents

Popular posts from this blog

PCI-DSS: Your CDE may be getting bigger

Image
In December, the PCI Security Standards Council released guidance around scoping and network segmentation for card data environment (CDE) assets. In their own words: “Many organizations struggle to understand where PCI DSS controls are required and which systems need to be protected. This document provides guidance to help organizations identify the systems that, at a minimum, need to be included in scope for PCI DSS. Additionally, the document provides guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls.” The guidance goes on to visualise a scoping process, considering each category of system in turn: I believe it’s worth highlighting the ‘broadness’ of the “Connected to OR Security Impacting Systems” . These are cases where the: System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity). System component can connect
Read more

Splunk Security Cheat Sheet

Image
Apart from being a source of all too frequent and embarrassing typos, Splunk is a big data platform which allows you to interrogate data and present results is a variety of contexts and visualisations. I've been using it for a little over 12 months, self teaching or Googleing as I go, predominantly to sift through the terabytes of logs from various applications and appliances that get generated in my 9-5 every day.  You can use Splunk to build dashboards which are typically better than the ones that come with the product ( full size )  I've started to pull together all the searches, notes and bits of code into a sort of security cheat sheet which I thought would be a good thing to share as well as providing some real world examples of how you might use Splunk in a security context.  Cheat Sheet I'm actively working back through my notes and adding to this all the time so it might be a good thing to reference via the URL or re-visit from time to time. I'll t
Read more

Tools & Techniques - Cloud Firewalls (DigitalOcean)

Image
My home lab is (probably) typical of most security professionals: a beefy workstation running VMWare workstation, a beefy-ish workstation running ESXi and a bunch of laptops, switches and other devices.  I utilise a couple of VPS providers for hosting and exposing VMs to the cloud. My VPS provider of choice has been DigitalOcean for the last couple of years (going by my billing history) and to date, they've been excellent. They recently introduced and advertised a new service feature called 'Cloud Firewalls' and I had chance to have a play with them today. Essentially, they've incorporated a network level firewall service to their VPS offering which can be used as an alternative or in addition to host-based firewalls like iptables, firewalld, etc.  Initial Impressions - Pros, Cons and Limitations Pros No Cost (free!!) - Cloud Firewalls are available at no additional cost. Availability - Cloud Firewalls are available in ever region DigitalOcean operate.
Read more