Monday, May 15, 2017

Wcry lesson - we learn that we do not learn

Wannacry ransomware wreaked havoc around the globe, infecting and putting out of commission more than two hundred thousands computers. One could consider this as a brutal and effective crashtest for common security practices. Test that we have failed, miserably. Just look at the map of affected countries...

The situation could be completely different, if IT security adhered to a small set of very basic security practices, such as

Educate end users

One of the Wcry vectors is a phishing email. We all know that it is not wise clicking on email links, right? Wrong, apparently. People are still doing that. Teaching users simple security awareness practices is vital to avoid such incidents.

Scan incoming emails and downloads

One of the classic cases of Threat Emulation is scanning and detonating file attachments and downloads. Every decent security vendor has an appropriate offering in this field. 

Anti-phishing tools are also widely available, both onsite and cloud based.

Patch your systems timely

SMB vulnerability used by Wcry to propagate was patched by Microsoft in March 2017, two month before the event. Two month!

Use IPS for virtual patching

Okay, you say, we could patch all supported Windows machines, but how about XP, 8 and 2003? Even if there was no patched for unsupported Windows flavors, simple IPS virtual patching would do. How hard it can be, really?

Filter incoming traffic, segment your networks

To prevent the initial infection coming from Internet through SMB, one only needed to filter out incoming SMB traffic. Same to prevent lateral movement of the worm in segmented networks. Simple FW rules denying such traffic would do.

Backups, backups, backups

In case of infection, there is always a plan B - restoring systems from backups. If you have any. If you keep them safe. Safe in this context means offline. 

Simple and widely known best security practices could save the day. Yes, we have all seen recently that our networks are out there for anyone who wants to take them over. How sad is that?

To support this blog send your donations to

No comments:

Post a Comment