With the recent Ransomware WannaCry attack hitting a big public sector organisation like NHS which was made public by the media, everyone is now paying extra attention to information security.
Ransomware attacks are not new, the first attack was in 1989. However, they are constantly evolving their forms to make the attack more successful. As always, prevention is better than cure, and here at Dionach we have developed a new type of service for which the ultimate goal is to ensure that any type of organisation is prepared and well organised to tackle a possible Ransomware attack.
The service is called Ransomware Readiness Review and consists of five sections:
- Information Security Policies Assessment
- Endpoint Security Assessment
- Endpoint Security Central Management Assessment
- Backup Assessment
The review provides the organisation with a readiness score and risks in each area, with a list of prioritized actions to complete to decrease the impact and likelihood of a ransomware attack.
Information Security Policies Assessment
During this phase, the consultant’s goal is to ensure that solid policies and procedures to tackle the threat of malware are developed by the organisation and made available to the employees. Policies and procedures should state acceptable use of Internet, emails and instant messaging. Also, they should cover the installation of software, recommendations when opening attachments, such as Office documents with macros, or clicking on links in messages from untrusted sources. The policies should also require that staff report potential attacks to the IT department or person responsible for information security. Finally, policies and procedures should cover staff training and security awareness at induction and subsequently.
Endpoint Security Assessment
In this section, the consultant reviews the technical security configuration and hardening of the organisation’s standard builds. If standard builds are not part of the organisation’s process, a sample of endpoints is reviewed. At this stage the consultant performs a number of technical checks against the endpoints. Some of them involve the following aspects:
- Missing critical operating system or third party patches
- Antivirus and antimalware
- Privilege escalation vulnerabilities
- User permissions
- Application whitelisting
- Browser plugins
- Egress filtering
Endpoint Security Central Management Assessment
When the security of the endpoint is guaranteed, the next step is to ensure the surrounding devices are not also vulnerable to potential infections. The consultant reviews whether a central management of Microsoft or third party software updates is deployed, monitored and updated. The checks also include a central antivirus console, web proxy and mail filtering. Finally, a check on remote access with single factor authentication.
A distinctive feature of ransomware attacks is that data is typically encrypted with strong encryption. In some instances, keys, typically private keys, have been leaked on the Internet. So if you are lucky that you have been hit by an old version of the malware there might be a remote chance that you will get your data back. However, even if you pay the ransom, it is not guaranteed that decryption keys will be provided and that data will be recovered. Backup is the first and only weapon that an organisation has in case of a compromise. As part of this process the consultant reviews the current backup process to ensure that no major damage could be caused by loss of data. The consultant also checks whether the backup process is regularly tested.
The best way to examine whether your organisation is susceptible to Ransomware attacks is to simulate real attacks. A typical attacking vector of Ransomware is via emails which generally are not targeted, as their ultimate goal is to infect as many devices as possible. Targeted attacks will require a phase of information gathering and the content of the email will not be typically suitable for further attacks. For these reasons the content of the emails are blatant, commonly about invoices, security or jobs with malicious attachments. Dionach simulate these types of attacks by sending phishing emails to the organisation’s employees with the goal of getting clicks and compromising endpoints. The objective is to determine the susceptibility of the organisation to ransomware attacks .The service also provides training to employees which shows real examples, common attacking vectors and recommendations on how to detect and react in case of an attack.
Unfortunately, Ransomware attacks are extremely popular due to the low level of skills required. Dionach’s Ransomware Readiness Review service will uncover the weaknesses of your organisation and help you to build solid layers of security controls to prevent and mitigate the effects of a ransomware attack.