The “WannaCry” ransomware campaign has targeted a number of organisations internationally including the UK’s National Health Service and Spanish telecommunications provider Telefónica. The Australian Cyber Security Centre (ACSC) confirms there are a small number of cases affecting Australian small businesses, and many Australian networks could be at risk of infection.

In light of this recent attack, organisations can minimise the risk of being infected by taking the same precautions necessary to guard against malicious software in general. CIO’s in Australia can protect their organisations by following the Australian Signals Directorate’s Strategies to Mitigate Cyber Security Incidents, which include:

1. Patching operating systems and applications to the latest versions;

2. Not exposing protocols such as SMB to untrusted networks including the Internet; and

3. Implementing application whitelisting to prevent execution of untrusted code.

Who is at risk?

The campaign leverages publically known vulnerabilities in Microsoft Windows to spread an infection to other hosts. It poses a greater threat to small SMEs compared to large organisations, particularly those that run on Microsoft Windows. In response, Microsoft has recently released patches to their products to mitigate these vulnerabilities and Australian organisations are encouraged to update their products to prevent further attacks from this campaign.

The ACSC Threat Report states that “in cyber security, prevention is better than a cure”. They go on to explain that relatively few organisations sufficiently plan or prepare for a significant cyber security incident. This can be said for Australian IT Leaders, as recent reports from the ACSC have identified a small number of cyber-attack cases arising in Australia.

For IT Leaders to prepare and respond to cyber-attacks, the following strategies are recommended by the ACSC:

1. Set up monitoring to access the organisation’s environment for cyber threats;

2. Have processes in place to detect when an incident may have occurred;

3. Assign primary responsibility for incident response;

4. Maintain an up-to-date Incident Response Plan and System Security Plan and Standard Operating Procedures;

5. Identify critical systems; and

6. Identify key stakeholders including communications and legal.

Legacy Systems

Legacy systems are at a higher chance of exposure to the campaign as the ransomware was designed to work against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. Network Architects running outdated operating systems are firstly urged to make the security upgrade for platforms in custom support (Windows XP, Windows 8, and Windows Server 2003) to protect their applications in the short term. Secondly, they can obtain the latest protection from Microsoft and upgrade to Windows 10.

In the longer term, Network Architects are encouraged to keep all computers up-to-date, which provide the benefits of the latest features and proactive mitigation built into the latest versions of Windows. They can also install antivirus protection software and automatic updates enabled to be protected against threats like this in the future.

Mitigation

The majority of conscientious organisations have a particular set of mitigation strategies, policies and procedures in place to treat threats such as this. To maintain a strong cyber security posture, increasing awareness of potential vulnerabilities and implementing additional IT architecture security measures can be vital to deter and prevent incidents on infrastructure.

Organisations could use antivirus and malware prevention software such as:

1. Device Guard to lock down devices and provide kernel-level virtualisation-based security, allowing only trusted applications to run, effectively preventing malware from running.

2. Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.

3. Continually monitor networks with threat protection software, which alerts security operations teams about suspicious activities. Organisations should use vigilance when opening documents from untrusted or unknown sources.

To ensure organisations and their systems are protected, IT Program Managers should have in place a set of mitigation strategies. The Australian Signals Directorate suggests an order of implementation for each threat to build a defense against cyber security incidents. The Essential Eight Mitigation Strategies include:

1. Application White-listing A whitelist only allows selected software applications to run on computers. All other software applications are stopped, including malware.

2. Patch Applications A patch fixes security vulnerabilities in software applications. Adversaries will use known security vulnerabilities to target computers.

3. Disable Untrusted Microsoft Macros Microsoft Office applications can use software known as ‘macros’ to automate routine tasks. Macros are increasingly being used to enable the download of malware. Adversaries can then access sensitive information, so macros should be secured or disabled.

4. User Application Hardening Block web browser access to Adobe Flash Player (uninstall if possible), web ads and untrusted Java code on the Internet. Flash, Java and web ads have long been popular ways to deliver malware to infect computers.

5. Restrict administrative privileges Only use administrator privileges for managing systems, installing legitimate software and applying software patches. These should be restricted to only those that need them. Admin accounts are the ‘keys to the kingdom’, adversaries use these accounts for full access to information and systems.

6. Patch operating systems A patch fixes security vulnerabilities in operating systems. Adversaries will use known security vulnerabilities to target computers.

7. Multi-factor authentication This is when a user is only granted access after successfully presenting multiple, separate pieces of evidence. Typically something you know, like a passphrase; something you have, like a physical token; and/or something you are, like bio-metric data. Having multiple levels of authentication makes it a lot harder for adversaries to access your information.

8. Daily backup of important data Regularly back up all data and store it securely offline. That way, an organisation can access data again if it suffers a cyber security incident.

The bigger picture

The ACSC states that terrorist groups seeking to harm Western interests currently pose a low cyber threat. Cyber Terrorist capabilities generally remain rudimentary and show few signs of improving significantly in the near future.

For the time being, this threat thankfully remains more hypothetical than real. What is needed in the meantime is a considered discussion and realistic appraisal of the diverse threats to Australia’s cyber security.

If organisations are affected by the “WannaCrypt” ransomware incident, they should contact their service provider immediately. Small businesses can contact Australian Cybercrime Online Reporting Network; larger businesses are advised to follow their normal procedures.

References

1. https://www.acsc.gov.au/news.html

2. https://www.acsc.gov.au/ransomware-campaign-impacting-organisations-globally.html

3. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

4. https://www.acsc.gov.au/publications/ACSC_Threat_Report_2016.pdf

5. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

6. https://asd.gov.au/publications/protect/essential-eight-explained.html