Businesses, I'm not going to say you had it coming, but this WannaCry attack was entirely preventable.
In episode 8 of the IT ops news & talk podcast, I gave a bit of a rant that focuses on the this ransomeware attack. The failure comes down to a lack of five elements of rigor, in my humble opinion. And, here they are:
1. Rigorous data backup
If you're backing up all your important data – your user data, your server data, whatever – and you're not only backing it up, but verifying the backups to make sure they're good and even performing periodic trial restores, then a ransomeware attack will be nowhere near as damaging as it could otherwise. I'd also recommend keeping backups on secured servers to prevent intrusion. Remember, the idea with ransomware is that once the machine is infected, it not only attempts to hit all your locally mounted drives, but also drive mappings with network volumes as well. So, if your backups are stored in a location that's not immediately accessible by the malware, all the better.
2. Rigorous patching
The days of running, say, a month behind in your backups are gone. Many update and patch engineers I'm friends with normally stay at least a month behind on Microsoft updates to rigorously test the updates to ensure the updates aren't going to break anything on their production networks. I think the time is long overdue to shorten that window of approval for updates because we know that technology moves fast. With DevOps and continuous integration, continuous deployment software runs fast. Malware, it's the same thing, especially really high-speed vectors like phishing and exploit of vulnerabilities. So, rigorous patching. Certainly, if businesses have patched their systems with that March update, those systems would not have been subject to this particular attack.
3. Rigorous upgrade
While related to rigorous patching, rigorous upgrade means, well, Windows XP reached its end of life in April 2014. Windows Server 2003 reached end of life in July 2015. This means if a business is running those old operating systems, they haven't been patched by Microsoft in years (a tremendous vulnerability in itself).
4. Rigorous auditing
An ideal intrusion prevention system, or IPS, integration in your network needs to have controls in place that look for events—suspicious events like lots of data access from a specific user. That could very well be a red flag of a ransomware attack and process. Intrusion detection systems are good because they can raise an alarm for suspicious behavior. More to the point, an intrusion prevention system appliance can look for these suspicious traffic patterns and actually block them before they cause real damage.
5. Rigorous firewalling
The fifth and final element of rigor, in my opinion, is rigorous firewalling, even at the client. Once again, it's a common behavior I've found among Windows systems administrators to disable the client firewall because it's just too much of a pain in terms of being able to reach your client machines for management. Bad idea. More to the point, this EternalBlue exploit targets flaws and server message block. Disable SMBv1. The chances are enormous that you don't need the protocol on your systems, and it may very well be enabled right now, which opens the door to the potential of that vulnerability.
So, I've made my peace. Catch the full explanation and check out the entire episode of IT ops news & talk here, where I also interview Pluralsight’s Director of IT Ops Curriculum, Don Jones.