In this series of blogs we examine all topics under the information security umbrella. From corporate blunders to rogue state attacks to the occasional celebrity hack, we believe there is something for businesses and individuals to learn from any cyber security event. We also believe that, while experience is the best teacher, it’s even better to let other people make the mistakes for you.
Wanna Cry Ransomware
By now you have probably heard about the Wanna Cry Ransomware attack that hit the world this month. If you haven’t, please make sure to remind me to put your personal email address into my SPAM filter. All kidding aside, this was a global-scale attack on mostly corporations that involved a “Trojan Horse” of sorts in the form of a Google Documents link sent from what initially may have appeared to be a known source. In a nutshell, thousands of businesses around the world found themselves behind the 8-ball on their security updates, and as a result, were unable to access their company’s files without either paying hackers a ransom or by relying on their protected, backed-up files. This poses a few big questions about how to prevent this right off the bat, but before we get into those, we need to make sure everyone is on the same page with some background into the story of Wanna Cry.
What Exactly is Ransomware? And Why Does it Make me Wanna Cry?
Ransomware is, as the name suggests, a nefarious bit of software written to withhold access to the target’s computer and or files thereon until a ransom is met or the files are all totally erased. This means that to be the target of a ransomware attack is to effectively be put in the position of having to either pay-up to hackers (typically though bitcoin or other cryptocurrencies), or to completely reboot your systems and strip them of all software and operating systems and rely on a complete back up to restore use to pre-attack levels. The specifics of the Wanna Cry Ransomware attack in particular are actually kind of interesting and a little humorous. Interesting in that this was a malware agent originally stolen from a government agency, and amusing in that, according to many security experts, this was a shoddily written bit of code and poorly executed attack. All of that may be fine and dandy for the movie rights that are inevitably going to be purchased by someone with more dollars than sense, but it still doesn’t help the literally tens of thousands of companies that were affected by Wanna Cry and don’t find this very entertaining at all. Which, of course, leads us to the protecting-of-your-neck portion of our program.
An Ounce of Prevention…
Is, as the saying goes, worth a pound of cure. For those of you still baffled by the imperial scale (why aren’t we on metric yet?), ounces are much lighter than pounds, thus suggesting that doing a little work up front will often save you way more time and energy on the back end. This is just as true for exercise as it is for cyber security. What is most baffling about this particular attack, however, is that it exploited a vulnerability in Microsoft users’ software that was identified and corrected in March of this year. That means that the perpetrators of the attack are equivalent to a burglar coming to your door with a police officer, the officer introducing you to the thief who had plans to rob your house, indicating exactly which open and unlocked window that thief intended to use, and then three months later you still got robbed thusly. Look, I don’t want the criminals to win, ever, but we have gone over how software updates work before. Seriously, we don’t want to finger wag you to death here, but preventing cyber attacks can sometimes be as simple as updating your software and operating systems. The point here is that the security patch was available long before the attack occurred, so if a business was regularly updating their software with security patches, then they would have been totally protected against this. Have I made my point? If not, just remember that if you choose not to update your software, just plan on either conducting regular system back-ups so you can erase and restore your network any time you get a virus or just plan on keeping a pretty big slush fund of cryptocurrency so you can pay to get your computers back whenever they fall under attack. All that being said, there’s one more added layer of security to consider that is failing to make it to the headlines about this attack that could save you a mountain of headaches moving forward.
In a nutshell, email authentication is a series of security measures that are taken to ensure that email addresses cannot be replicated, falsified, or cloned by malicious actors. If you recall, I mentioned that the Wanna Cry was sent from addresses that appeared to be from known addresses. This appearance of familiarity is one of the biggest risks of unauthenticated email. There are simple ways that most larger email clients provide to check the verification status of email, and for the most part, verifying email is also as simple as double checking the specific address of the sender. However, without an authenticated email service in place, when an employee gets an email from what appears to be the company CEO, they aren’t typically quick to scrutinize the veracity of the email in favor or responding to whatever request they have as quickly as possible. Many smaller businesses without dedicated IT staff are most vulnerable to malicious email from an unauthenticated source because the process of authenticating email has traditionally been complicated and cumbersome. However, more and more, email client providers are offering simple steps to email authentication. This added layer of security will likely prevent more phishing, Trojan Horse, and just general SPAM from getting into your company’s inboxes than anything else, so it’s worth the time and energy to get it going, soon.
Protect Ya Neck
Because, that’s the name of the game, right? You can scrutinize your inbound email all you want, but eventually even the most diligent of employees will miss something. Either because the sophistication of attacks varies or because your employees’ attention should, rightly, be on their work more than anything else, you can’t plan on simply catching all nefarious emails manually. That’s why, following these basic best practices will pay off huge dividends in the for of time and headaches saved-
- Update Your Software Regularly Which is, as we’ve discussed at great length, the first and often best line of defense to keep you systems running healthily and well into the future.
- Back Up Your System Regularly This is the essential way to hedge against any unknown attack. For whenever something does go awry with your cyber security, or even if you have another disaster at the office that damages your equipment, you can always restore your system provided you make regular back-ups of your data.
- Invest In Extra Authentication Methods Whether it be email authentication for your email server or dual-factor authentication for all of your critical log-ins, added authentication is just the extra layer of defense that most hackers find to be enough to move on to lower-hanging fruit.
Have your own best practices that you’d add to the list? Let us know on Twitter or Facebook. Either way, make sure to keep posted here and on those social channels for more security updates because, as we always say, it’s a jungle out there. Remember to protect ya neck.