May 23, 2018
The mainstream news has been falling over themselves to report on the ransomware attack that, most prominently, hit the UK’s NHS. While the 24-hour news cycle will surely forget about this in coming days and weeks, it is something that is always forefront in the mind of any good technologist. Of course, the question on everyone else’s mind is: what can we do to stop these attacks?
While there is no single answer that fits every business, there are certainly some basic steps everyone should take. This recent attack targeted a vulnerability in the Microsoft Windows operating system, made known by a supposed leak of NSA documents. Let’s put aside the issue of the NSA potentially keeping a known, massive vulnerability secret and focus on what needed to happen before and after the problem was known.
First off, all current Windows OSes were patched back in March. Full stop. If you had an up to date system, and had your automatic updates turned on, this wouldn’t have affected you. But then why, we ask, did this wreak so much havoc? Simply put, because there are many out of date systems still in operation. That may be an old, unsupported (by Microsoft) copy of Windows, or it may be that someone has turned off automatic updates.
Let’s address the “old Windows” scenario. Many businesses and other institutions keep old version of Windows around for various reasons. Windows XP is installed on many business critical machines such as CNC mills, and also on shop floor computers for employee data entry. While these systems, being so out of date technologically speaking, they still fill a valid business purpose. However, often they are neglected by IT departments when in fact they should be given even more attention than other systems in some cases.
So, what’s an IT department to do with these out of date systems? Of course, all the typical best practice stuff applies such as having up to date virus protection, and installing whatever application updates are available. Beyond that, there are some other steps that can be taken.
These computers should be isolated from outside world (i.e., the Internet) as much as possible. Place them on a separate network (or VLAN) if possible, and do not allow any Internet access from them. Also, isolate them from other machines that do have Internet access. If, for example, a newer computer does get an infection, you don’t want it to spread to these seemingly business critical computers. In cases where access to the computer from the larger LAN is necessary, route the traffic through a firewall which only allows as much access as needed.
A priority should also be placed on upgrading the operating systems on these systems if at all possible. Often this requires the application specific software to be updated as well, which is why it is also important to keep current with vendor maintenance agreements for software. The upgrade process is a far reaching one, and application vendors must be included in the conversation.
Once the OS is current (or if it was current to begin with), there is another critical protection: automatic updates. While some IT folks will freak out at the recommendation, we say the benefit far outweighs the risks. In the past, there have been a few updates that messed things up for a few days, but overall they’re not that bad. (Besides, isn’t that what good backups are supposed to cover?) We’d be willing to bet that anyone infected with WannaCry would give anything to go back and undo the choice to turn off automatic updates.
Of course, having up to date systems are just a start. Good backups, applied best practices, user awareness training, and proper system isolation are also key. We apply those and other concepts to our clients’ systems and can boast that those who take our advice rest easy.