Sunday, 14 May 2017

Security message on recent Ransomware attacks (WannaCry worm)

(In case it helps, here is an email I sent today to all of PhotoBox Group Technology team)

Hi all Tech (TL;DR: high risk of Ransomware, see list of recommendations below)

As you probably have seen in the news, there has been a wide spread Ransomware attack which affected large number of companies worldwide, and is bound to cause more damage next week.

The attack is called Ransomware (a play on Ransom + Software) and has the business model of encrypting all files the affected computer has access to, and then asking for a ransom (i.e. payment) to decrypt the files.

What makes this attack dangerous, is that it's also a self-propagating worm. Once it runs on a machine, it will scan the local network and compromise computers not patched with the MS17-010 - Critical security update released by Microsoft in March (and yesterday for XP) . Once in the new infected computer, it will continue scanning (if connected to other networks) and eventually start encrypting all files. See Troy Hunt's post for a really nice technical explanation of this issue.

As far as we can tell, we have not been impacted with this WannaCry attack (although we have add Ransomware incidents in the past). This is more down to luck and maybe the fact that this security researcher managed to hit a 'kill switch' by accident (which btw, could have a way to re-enable itself).

It is important to note that this attack is severely limited by the criminal's simple business model (pay $300 per affected computer). This would had been much, much worse, if the attackers corrupted/disclosed the data, and had a much higher ransom price. So when the NHS says that no patient data has been compromised this is more to do with the limited attackers business model vs the NHS ability to protect that data  (i.e. the malicious code had access to patient data, but chose to 'only' encrypt it'). The analogy here is "Imagine that the criminals broke into a bank, had access to all customer records + the money stored in the vault, and the only thing they did, was to change the locks of the font doors and vault").


Note that this kind of attack is also moving to the cloud. See "Look out for the Google Docs phishing worm" and "Why the Google Docs worm was so convincing".


In terms of our ability to detect and mitigate against these type of attacks, we are not in a good shape, and really depend on your help. 

Here are some recommendations that we would like you to follow:

As a user:

  • Install latest Security Updates (vs 'install it later tomorrow')
  • Be careful when clicking on links, and only download apps/executables from known/trusted sources
  • If you think you have been compromised:
    • Communicate to the Group Security Team as soon as possible (#security on slack)
    • unplug device from network and shut it down as soon as possible
  • Avoid at maximum to plug in non-company laptops/devices to our network (and if you have to, ask local IT support to take a look at that laptop's security)
  • Double check that your data is backed-up regularly (daily or hourly) so that when you/we are hit with RansomWare (which would encrypt those files), the amount of data lost would be minimal
  • Reduce the amount of data (and file shares) that you have access to (namely internal or customer's PII (Personally Identifiable Information))
  • Ask for your laptop/desktop to be rebuilt regularly (helps to understand the 'what is not currently backed')
  • Use 2FA (two factor-authentication) for your most important accounts
  • Use a Password Manager
  • Encrypt sensitive data (when not in use)
If you run as an admin (or manage your IT infrastructure):
  • Ensure Security Patches are automatically installed
  • Enable your Firewall and set it to block incoming connections (apart from some white-listed ports)
  • Ensure anti-virus are installed and automatically updated
  • Don't use old Operating Systems (if we have OSes that we can't patch, there are a couple mitigations we can do, like "disabling SMB")
  • Don't run as admin, ideally creating low privilege accounts to browse the Internet + read emails, or even better, create VMs dedicated for Internet Browsing and email handling
  • Use git as an backup strategy since it will give you version-control and easy re-install (assuming you push it to GitHub)
  • Review the current 3rd party VPN connections to our network from 3rd party companies
  • Help to identify current Risks so that we can proactively find solutions for them (to be involved please see the OwaspSAMM and JIRA Risk mapping activities currently under way)
From a detection point of view, at the moment our best bet is the Dark Trace service that we manage. This is a passive monitoring service which 'should' give us an alert if worms like WannaCry are set lose in our network. In the medium term I would like us to have a more proactive solution in place, where the damage is minimised when (not if) an malicious link was clicked or when (not if) malicious code is running in our network. 


For now we really depend on you to keep our data and our customers magical moments safe.

Finally, to give you an idea on who to talk about any of this issues, here is a brief intro to our current PBX Group Security team:
  • Clare and Dilek are our Risk management and policies rock stars and the ones that proactively are help us to manage our risk
  • Naushad is our resident hacker (on the good/light side of the Force) which helps us to hack ourselves first and is currently helping to setup a SOC (Security Operations Centre) so that we can have a much better view on what is going on, and are able to effectively (and pragmatically) react to events
  • XYZ and Antoine are part of our NIS (Network Information Security) team, and are also very actively (50% of their time) in the setup of the SOC (which will be a service made available to all teams, and will leverage existing investments in log management and visualisation systems)
  • Anders is the one managing all Security Activities and helping to create the FY18 Security strategy (you know him from his previous TechOps role)
Note that we are still quite a bit far off from the team, infrastructure and services that we need to have in place to protect all PBX Group brands and customers (which is why we really need your help in securing our world).

Don't hesitate to contact any of the team members if you have any questions, concerns or ideas.

Thanks for you help

Dinis Cruz
CISO PhotoBox Group