maxkabakov - Fotolia
The unprecedented ransomware attack that kicked off on 12 May and almost simultaneously hit about 200,000 computers in 150 countries may finally force businesses to take cyber security seriously.
It was global, indiscriminate and has had real-world consequences on businesses and high-profile public institutions such as NHS trust hospitals.
In response, comment and advice has come from just about every quarter, but it all boils down to the same set of action points.
The main recommendations are:
- Make sure security software patches are up to date.
- Run antivirus software.
- Make multiple backups of data, including offline backups.
- Avoid opening unknown email attachments or clicking on links in emails.
At the top of everyone’s list of recommendations is patching. WannaCry exploits a known vulnerability in Microsoft Windows to spread rapidly without human intervention.
Microsoft patched the “EternalBlue” server message block (SMB) vulnerability two months ahead of the attack. If all systems had been patched, the attack would not have spread so rapidly.
Exploiting this vulnerability gives WannaCry its worm-like ability to spread rapidly across networks without any additional human intervention.
Patching would not have stopped the initial infections, however. In most organisations, this is down to user education.
But there is a groundswell of opinion that end-users cannot be expected to spot well-crafted social engineering attacks designed to trick them into clicking on malicious links and attachments.
This has given rise to a new breed of security technologies designed to make it safe for employees to do their work without worrying about being tricked into enabling a damaging cyber attack.
Glasswall Solutions and Bromium are examples of security suppliers who have developed technologies with the end-user in mind.
Ransomware may be extremely helpful in getting organisations to take security more seriously and highlighting issues such as patching and user education, but it can be defeated automatically, say Glasswall and Bromium.
Read more about ransomware
- Businesses still get caught by ransomware, even though straightforward avoidance methods exist.
- Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
- The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
- The CryptoLocker ransomware caught many enterprises off guard, but there is a defence strategy that works.
Glasswall’s software is designed to strip out malicious documents and links before they ever reach employees by breaking documents down to byte level and passing on only the “known good” as defined by manufacturers’ file format standards.
Bromium has a similar philosophy, but uses micro-virtualisation technology to ensure that whatever a user clicks on launches only within its own virtual machine or micro-VM. This means that any malicious code is not passed on to the main IT environment and can be analysed safely within the micro-VM.
Bromium claims this approach has no effect on user experience or performance and provides 100% protection from malware because it does not rely on any “detection” capability.
Using micro-VMs means that organisations can let ransomware and other malware run because attackers have nowhere to hide and nothing to steal, said Ian Pratt, co-founder and president of Bromium, in an interview with Computer Weekly in January 2017.
“Because the malware is isolated in the micro-VM, it cannot steal password hashes and other credentials or access any file systems,” he said.
Hopefully, WannaCry is a sufficiently significant attack to force even the most recalcitrant organisations to sit up, take notice and take cyber security seriously at every level of the organisation.
In addition to highlighting the importance of running up-to-date and fully patched software, hopefully it will lead to a change in approach where end-users are not put in the firing line.
If organisations start to seek out and implement technologies that automatically deal with common attack routes without relying on end-users to be alert and instead allowing them to get on with their work, there may be an opportunity to finally make some significant progress in cyber defence.