Hopefully, you have recovered from the WannaCry incident last Friday if you were affected. The Softcat team had a busy weekend helping customers to respond and recover as quickly as possible. I think the response efforts cost us a couple of hundred quid in emergency pizzas for our staff and for customers who had to work late! Now that the dust has settled (not that you shouldn't stop being vigilant for copycat attacks), I thought it might be useful to outline some of the steps you can take to minimise the risk of something like this happening again.
The first thing you should think about is your patching strategy. There's a reason these patches come out! Microsoft had patched the vulnerability utilised by this attack back in March. The longer you leave systems unpatched, the more you are exposed – at the very least you should be deploying the smaller number of 'critical' security patches. Now I know this stuff can be hard work so it's probably not a bad idea to have something in place to manage this for you, like SCCM. Anything that reduces the time taken means that you're more likely to be able to keep on top of your patching, without disrupting your users, which in turn means you are more likely to have this covered.
Secondly, consider your antivirus and endpoint protection approach. 'Traditional' antivirus relies on DAT files – signatures of known exploits that they scan against. In a fast-moving attack like this, your anti-virus (AV) might not be up to date enough to catch it. So-called 'next generation' AV protects based on what the components of a file are likely to do, using machine learning to predict the outcomes. While any approach is never going to provide 100% protection, indications are that those who were using this technology were not affected. This could be an important part of your strategy, particularly if you are forced to continue to run Windows XP. Don't forget your email security strategy, as email attachments are a significant dissemination vector. It's a long shot, but you might want to think about educating your end users on what 'bad' looks like.
Thirdly, think about how you deliver your applications. This is particularly relevant if you are marooned on Windows XP still due to some 'historic' application vendors that just won't shift. Use published apps, or app streaming, to deliver those recalcitrant applications to a more modern operating system. Done correctly, as part of a mobility or end user computing strategy, you can derive more value from this as it can help to mobilise your people and reduce your operational costs. A centralised desktop delivery approach can also help to minimise the effort required for patching. And don't forget application whitelisting – this can stop unauthorised applications running, which is helpful in blocking exploits such as this.
Fourth (and this is much harder and more complicated), try to move to a model whereby security is embedded in your network. You must assume you will be breached at some point – so ensure you have the monitoring technologies in place to detect this. Do what you can to reduce the number of your services that are directly routable from your LAN. Segment your datacentre network such that a hacker will find it more difficult to move from service to service – or such that it will be nigh-on impossible for malware to spread in the manner of WannaCry. We have a reference architecture for this approach to enable you to get there quicker - in the current climate of increased regulation and incessant nefarious activity, this is an essential part of your security posture.
If you'd like a conversation about how Softcat can guide you towards reducing your vulnerability to whatever the next strangely-named piece of malware is, please get in touch with your account manager or use the form below to contact us.
So, you survived WannaCry? What next?
We would love to hear any comments you have about this article!