Malwaremakers are always one step ahead. It’s a fast and somewhat black and white conclusion, but the increasing hostility online is also a reality that keeps IT managers and staff up at night (both literally and as a figure of speach).
A new generation of malware
If we can learn at least one thing from the latest malware outbreaks, it’s that we’re smack in the middle of a new generation of malware.
Initial malware was fairly harmless, built by bored students and IT enthusiasts in their free time. Later versions ranges from increasingly professional botnets built for financial gain to modern automated digital spies replacing the good old 007’s. However we’re slowly evolving to a world where impacting an opponent is more lucrative than spying on them or merely earning digital currency (that will at some time always get you caught).
WannaCry was certainly not the first but it is a good example of an attempt to cause damage as a primary goal and mask that goal by asking money in the process. Money that will almost certainly stay untouched on a digital wallet until eternity, never withdrawn or used.
NotPetya apparently goes one step further. The trail of destruction increases, the target seems to be political, and anyone impacted as collateral damage just had bad luck. That it also conducted industrial espionage was possibly only a quick win, call it a sidetrack, for the developers.
Expect more, and worse
But what does that mean for us, IT managers, business owners, executives? It shows that we need to get into a higher gear in terms of protective measures. The traditional technical approach is no longer sufficient. Anti-malware software, firewalls, … of course we still need it! But if you don’t have the right controls in place to actually manage your security, backup and recovery efforts, you’re not going to make it.
Look into some of the stories unfolding for some impacted companies. Seems they did not have the right update policies, “forgot” to do disaster recovery tests and simply underestimated the possibility of a total IT blackout and the impact it would have on their business. Nobody likes work that has no direct impact on your business. Everybody’s schedule is already 110% full and face it: tasks such as DR tests, they are a pain in the ass!
Business risks vs technical risks
And that’s were all of the discussions start. When you make a business impact analysis (BIA) and a risk control assessment (RCA), most business owners simply accept the residual risks. But on what basis? In the end it’s all financials of course, but most of the time it even does not come to a financial debate. Risks are simply underestimated or badly interpreted by business owners. Not surprising though; how can you assess a technical risk that you do not understand? There are however a few simple steps to assess each risk from a business perspective and make sure your BIA/RCA is readable for non technical management.
Don’t ignore, dare cope with
A possible list of questions to help assess business impact:
- Do you have a control mechanism to assess risks, with in the end an advisory board with representatives of IT management, business owners and general management?
- As business owner or general management: ask your IT management to explain the risk without using technical terminology.
- As IT management: ask your IT staff the same but prepare a “translation” for your business.
- What is the chance of an incident, the chance the risk manifests itself?
- What is the potential impact of the incident?
- What protective measures are in place? Think of mitigation or transfer of risks.
- What if it really goes bad?
- What is the impact on your business?
- What financial losses can you cope with?
- What could the potential damage to your reputation or name be?
- What backup scenario’s are there? Is there a disaster recovery plan?
- Can you accept residual risks (after mitigation or transfer) or do you need to change, suspend or terminate services due to those risks?
- Are your users, both your end users and your professional staff, aware of those risks as well?
- Are they able to cope with social engineering?
- Can they recognize malicious behavior?
- If they are in doubt, do they know how and when to escalate to IT staff or even IT management?
Such an assessment is often the first basis to start an actual service oriented organization where you make any decision starting from the business need, wrap technology with processes and train your users. But to go back to the original starting point: by including the business owners and general management, you can make the entire company aware that security is essential and that it does not matter whether you’re a multinational or a small venture, malware does not “discriminate” and will hit anyone.
In the end of the end of the end, you’ll always end up with a financial debate, but at least this time it’s based on business insights, not just tech talk. Business will know what service they receive and why there’s a certain funding required, certainly for security that is often mistakenly percepted as a mere cost without return on investment. IT departments on the other hand will understand why certain services are requested and can provide better support.
How to protect?
- decrease impact of an outbreak:
- segmentation: frontend vs backend, production vs backoffice, …
- backups, backups, backups! The number 1 protective measure, but remember backups alone are insufficient.
- decrease chance of an outbreak:
- reduce unneeded administrator rights, certainly for end users
- update automation
- awareness training
- check up on your suppliers policies as well
- prepare for an outbreak:
- business impact analysis / risk control assessment
- change advisory board (business + IT representatives)
- incident management procedures (the basis of every DRP)
- anti-malware software (endpoint protection)
- backups + offsite replication
- check your backups
- check your retention period (to avoid all backups to be infected as well)
- protect your backups (!) even backup systems are targets
- backup restore testing
- disaster recovery plan (DRP)
- at least a formally tested “recover from backup”
- also have a restore procedure ready from offline copies
- basic server hardening
- basic firewall hardening (least privileged principle)
- rights management
- periodic basic internal and external audits
- next generation firewall with advanced threat protection
- web application firewalling
- proxy filtering
- security information and event management
- penetration testing
- advanced rights management
- actual disaster recovery (do not mistake with backup restore)
- quick (<24h)
- available (contains live breakouts, external publishing, …)
- scalable (able to accept the entire load of critical systems within <24h)
- a cold standby system with an automated “one click” launch
- remember that hot standby systems can also be infected so be ready to start from cold sources.
- data scrubbing (inline malware protection)
- disaster recovery as a service
- third party offsite backup services
- capability to startup on the providers IaaS infrastructure
- independant from your own datacenters so less chance of double impact
- other cloud services as alternative for onprem solutions (transfer of risk + spreading risks across multiple platforms)
- managed services as alternative for internal knowledge (and solving employee bandwith issues)
- ability to “call the experts”
- compensation for incident costs
- protection from external claims
The list goes on and can certainly be intimidating. But you don’t need it all to be protected. Just remember: start small, be aware, make others aware and don’t take anything for granted. The majority of protection is attitude, organization and common sense, only the last meters to the summit are due to budgets. Just have a plan and stick to it, enforce it, test it, make it work.