EDITOR’S QUESTION
STEVEN MALONE, DIRECTOR OF SECURITY
PRODUCT MANAGEMENT, MIMECAST
An increasingly popular email security
technique is to convert all Office files
into a safe and benign format. This
can be combined with a sandbox to
‘detonate’ attachments in a virtual
environment to analyse their behaviour
for malicious activity.
Rewriting all links to scan for unsafe
content at time-of-click is the best
approach to preventing delayed attacks.
Meanwhile, security policies should
also look at emails sent internally. It
only takes one employee to be infected
by a web download or USB stick, and
malware can quickly spread inside the
network by email.
Preventive measures alone can’t keep
up with the fast-evolving nature of
ransomware attacks and as this attack
highlights, there are many ways for an
infection to enter an organisation.
The WannaCry ransomware outbreak
has highlighted the disruptive power of
ransomware like never before. Simply by
encrypting and blocking access to files,
critical national services and valuable
business data can be damaged.
Here’s how Middle East organisations
can review network security, backup and
business continuity processes to bolster
defences against future attacks.
Specifically for WannaCry, samples
revealed that the ransomware is spread
over local networks and the internet by
abusing Server Message Block (SMB)
protocol weaknesses. Unless you have
a very good reason not to, disable the
SMBv1 protocol on your network, while
also ensuring SMB cannot be directly
accessed from the internet. As part of
a wider networking hardening strategy,
you can disable or block other legacy
protocols on your network that you are
not using.
www.intelligentcio.com
Microsoft released a security update
back in March which addresses the
vulnerability that WannaCry is exploiting.
For those organisations who have not yet
applied the security update, you should
immediately deploy Microsoft Security
Bulletin MS17-010.
If you are using a legacy, now
unsupported version of Windows, you
should consider upgrading immediately.
However, if this is impossible in the short
term, Microsoft has taken the unusual
measure of releasing a security patch
that can buy you time to upgrade.
Email has traditionally been the primary
attack route for ransomware. Attackers
often send Microsoft Office documents
with malicious macros that download
and install malware. This includes Word,
Excel, PowerPoint and also PDFs. Clever
social engineering will trick employees
into enabling the macros and delivering
the ransomware payload.
It’s vital you regularly backup critical data
and ensure that ransomware cannot
spread to backup files. Ransomware can
take time to encrypt large volumes of
files, particularly across a network share.
It is imperative to ensure your back-up
window is long enough to go back before
any infection begins.
Backup and recovery measures only work
after an attack, and cost organisations in
downtime and IT resources dealing with
the attack and aftermath. You must be
able to continue to operate during the
infection period and recover quickly once
the infection has been removed.
I advise organisations never to succumb
to the pressure to pay the ransom to
regain access to their applications
and data. There is no guarantee this
will unlock files and further motivates
and finances attackers to expand their
ransomware campaigns. ¡
INTELLIGENTCIO
77