Knowledge Base

How a Managed Services Approach to Ransomware Protection Would Have Blocked WannaCry

June 7th, 2017

by Nick Seal, Practice Director, Managed Services;  Terry McBride Sr. Sales Executive

 

Beginning on May 12, 2017, in more than 150 countries around the world, business operations for companies of all shapes and sizes ground to a halt.  Over 230,000 computers were infected in only a few days by a particularly malicious crypto-worm known as WannaCry.  Despite protections that blocked initial versions of the worm, even some of the largest corporate entities across Europe were eventually breached by later permutations.  In addition to thousands of smaller companies, victims of this attack included the British National Health Service, FedEx, Telefonica Spain, and Deutsche Bahn.

WannaCry utilized a Windows Server Message Block (SMB) exploit, a known issue that had been addressed by Microsoft in March of 2017 with a security patch.  However, due primarily to lax approaches to Endpoint Security and Patch Management, millions of machines around the world remained unpatched and vulnerable to the worm which, once inside, encrypted critical client data and demanded payment for its release.  The propagation of WannaCry became so severe that Microsoft broke corporate protocol to release a critical security patch for unsupported systems still running on Windows XP and Windows 2003.

 

Cyber-Crime will cost the global economy over 6 TRILLION dollars by 2021.

 

New malware and worms are released “into the wild” on a daily basis.  Even in the short weeks since WannaCry, two major pieces of malware, Fireball and EternalRocks propagated using similar exploits.  In the case of WannaCry, a hacking group known as the Shadow Brokers leaked the Windows exploit, which was discovered originally by the United States’ National Security Agency (NSA), but not reported to Microsoft.  It is believed that the Shadow Brokers group first learned of the exploit when it was revealed in a large dump of NSA tools by Wikileaks.  Analysts estimate that cyber-crime will cost the global economy six trillion dollars by 2021.  Considering the current estimated value of the global economy is only 78 trillion dollars, the implication is clear.

The nature of worms such as WannaCry is that they can cause a major security breach via even a single vulnerable machine on a network.  There was already a two-month old security patch from Microsoft when WannaCry began to spread in mid-May.  However, unless machines were fully patched from that version forward, they were left critically vulnerable.  While device-based edge security is a common area of focus, companies typically do not work proactively at aggressively patching and securing end-points, because it can be a cumbersome difficult task that is time-consuming for any size IT team.

 

CIS takes a layered pro-active approach to help clients protect themselves as much as possible from the next malware/ransomware outbreak.

 

The CIS Managed Services team takes a security-oriented pro-active approach to managing the endpoint.  CIS engineers and technicians work with clients to make recommendations on what can be reasonably done to mitigate the likelihood of falling victim to an attack.  CIS experts continually monitor the state of global malware attacks, as well as work with organizations such as Microsoft when critical patches are released.  As part of the Managed Services program, the CIS team works with clients to regularly review and update patches to the most current secure version.  As one of the most popular attack vectors centers around the user, not the machine, end-user training and awareness seminars are an added service that significantly improves client’s odds of avoiding the next attack.

CIS takes a layered approach to management and security of the endpoint.  Among the first tasks for any new managed services client is a full review of the entire environment, with the goal of creating a common baseline of software versions, patches, and security.

Supported Software:  CIS recommends that clients use only manufacturer-supported software that gets security updates, such as Windows 10 and Windows Server 2016.  This also extends to 3rd party software such as modern versions of line-of-business applications.  If there are any machines that use Windows XP, Windows 2003, or other non-supported Operating Systems, they must be replaced or upgraded immediately.

Patching: CIS’ approach to patch management is that monthly is good, weekly is better, and daily is best.  While daily patching is not practical for all organizations, CIS strongly recommends setting up at least monthly patch cycles for workstations and servers.  Companies following this simple rule in March would have been completely protected from WannaCry in May.

Email Protection:  All email must be filtered and scanned, at a minimum by native tools within a service such as Microsoft Office 365 or Google Apps, but ideally utilizing additional layers of protection such as MimeCast or SpamStopsHere.  All links in emails should be scanned to ensure that they are not hiding malicious executable code.  End user IT Security Best Practices education should be rigorous and continual.

Anti-Virus:  CIS recommends anti-virus solutions that are not reliant on public definitions, as many traditional anti-virus products are.  When a new virus is released, if the A/V application doesn’t have a definition for it already it will be vulnerable, this is known as a zero-day attack.  CIS recommends a specific Anti-Virus product, which will not be named here, in the interest of client security, which is cloud-based and uses behavior analysis, rather than definitions, to identify malware and viruses, as it scans everything in use.

Anti-Malware:  All CIS Managed Services clients receive an additional layer of protection with an Anti-Malware platform that does utilize definition-based scans, as a secondary protocol, in the event that the primary cloud-based A/V application does miss something.

Edge Appliance:  Depending on the size and operational budget of a client, CIS recommends either SonicWALL or Cisco current-generation firewalls, with full security services, to block malicious code before it gets to the network.

End-Users:  User behavior and training can have a huge impact on security.  Supporting users directly and regularly conducting best practices seminars and hands-on training can help ensure users are following smart computing practices.

Security Testing – In addition to the standard pro-active services provided by the Managed Services team, CIS has a Network Security focused team that conducts high-level network penetration testing, vulnerability analysis, phishing and spear-fishing testing, and other social engineering, to help ensure that security standards are met or exceeded.

While there may be no such thing as TOTAL security, CIS’ philosophy is that if breaching the network is made difficult enough, the odds are strongly in your favor that the attack will simply move along to the next potential victim.  Taking a Managed Services approach to endpoint and network security will help ensure that critical company data is protected against attack vectors of all sorts.


“WannaCry” but Keep Calm & Don’t Panic…

May 15th, 2017

As you have no doubt read recently, we have an unprecedented global malware situation that has been directly impacting human lives around the world over the last few days.  As your trusted technology advisor, CIS will provide further information as more details become available.  Action must be taken as quickly as possible to protect exposed systems, we have given this maximum priority and are leveraging the entire CIS team to address all possible solutions in the most expedient manner possible.

An email to clients this morning included a screenshot of the National Health Service of the U.K.’s website’s posted outage message as one example of what has been taking place all over the world.  In this one case, a hospital’s non-emergency operations have been suspended and ambulances are being diverted as a result of the malware’s existence.  In other words, this cyber-incident can now be classified by some as “deadly.”  There are widespread examples of similar impacts to critical services from around the world, however they are currently of little consequence.  The most important thing to focus on is:  What happens now?

Immediate actions we recommend be taken include the following.  Be advised, while these items will help lessen risk they are NOT a guarantee that malware will not morph [change] into something else that will penetrate a network.

  •  Do not click on links, even though they appear legitimate.  Check to see where these links may take you.
  • Do not click on links sent via email, even if they are sent from friends.
  • Do not open attachments.
  • Deactivate all WI-FI equipment [tablets, cell phones, etc.] wherever possible.
  • Stay vigilant and propagate best practices to colleagues.

Please know that Computer Integrated Services is doing all we can to protect you.  We are enlisting all possible avenues to do our due diligence and keep you safe.  As information and mitigation procedures become available we will keep you informed.  At this point, nobody can state with 100% assurance, even with these best practices, that you will not be affected.

If you have any questions regarding this issue, please feel free to contact us.  We thank you for your business and your trust.


CIS and BeyondTrust host webinar focused on IT Privilege Abuse in Higher Education

April 26th, 2017

Cyber Security Expert, and BeyondTrust Vice President of Technology, Office of the CTO, Morey Haber

 

I’m reaching out to invite you to a webinar that BeyondTrust and CIS are hosting for a small group of IT and security leaders at Mid-Atlantic colleges and universities: Preventing IT Privilege Abuse in Higher Education.”  Please pass on to your team members!!

Below is a presentation overview and login details, plus links to a couple relevant analyst reports. I hope you can make it! If so, please hit “accept” so we know to expect you.

The presentation will cover how PowerBroker Privileged Access Management (PAM) solutions from BeyondTrust can help you to:

  • Secure faculty, staff and student access to sensitive systems
  • Store, manage and rotate privileged passwords and SSH keys
  • Monitor privileged account usage and flag in-progress threats
  • Enforce least-privilege policies without killing productivity
  • Address FERPA, PCI, HIPAA and other mandates impacting higher Ed,

We’ll start with a short overview from Morey Haber, VP of Technology at BeyondTrust, followed by a quick demo of how our integrated password management and least privilege solutions work together to prevent data breaches.

In the meantime, check out these PAM reports from Gartner and Forrester:


Navigating the 23 NYCRR 500 Financial Regulations w/ CIS & BeyondTrust

March 10th, 2017

The New York State Department of Financial Services (DFS), has released legislation:  23 NYCRR 500 to combat the persistent threat posed to information and financial systems by nation-states and independent criminal actors.  This regulation is designed to:

  • Promote the protection of customer information
  • Promote the protection of information technology systems of regulated entities
  • Require each company to assess its specific risk profile
  • Require each company to design a program that addresses its risks in a robust fashion
  • Require annual certification confirming compliance with these regulations by senior management

CIS and BeyondTrust have been monitoring the requirements of this new legislation, and recommend that anyone in the financial industry read the attachment below as a first-step in implementing a plan.

To discuss further, please contact a CIS rep at:  sales@cisus.com or 212-577-6033

NY State Financial Cyber Security Requirements


CIS Network Security Bulletin

March 8th, 2017

Welcome to the first of our Security Bulletins, prepared by CIS’ Chief Information Officer, Anthony Fama.  The purpose of these ongoing bulletins is to help strengthen IT Security awareness within our client base.  CIS strives to provide our clients with the critical information they need, in an actionable format, to support the decision making process, and ensure stability, efficiency, and security of client environments.  For further information, please contact your Account Manager or the CIS Service Desk.  Click the link below to access the full bulletin.

CIS Security Bulletin – 4-2017 (opens separate PDF)


Strategic Partnership with CIS enhances the BeyondTrust partner program and helps organizations mitigate threats involving privileged access.

March 2nd, 2017

PHOENIX, March 1, 2017 – BeyondTrust, the leading cyber security company dedicated to preventing privilege misuse and stopping unauthorized access, today announced a new partnership with Computer Integrated Services (CIS), aimed to help more customers prevent privilege misuse and stop unauthorized access. As the BeyondTrust partner with the top-tier organization with a proven track record of successful joint identity and access management (IAM) and privileged access management (PAM) deployments, customers can trust CIS to accelerate deployment results, speed time to value, reduce ongoing costs and improve efficiencies.

BeyondTrust Adds CIS to Portfolio of Trusted Identity and Access Management Partners


LIVE Webinar: Klein School Dist. Cuts Costs w/ IAM

February 27th, 2017

After calculating that the school district spent US$525,000 per year for staff to manage individual accounts, the IT team began to seek a centralized identity and access management solution that would automate and maintain the lifecycle management of all user accounts.

This joint webinar on March 7th will feature the following:

  • Brief presentation from Chris Cummings, Director of Information Technology at Klein
  • Insight into how Klein overcame major identity and access management issues
  • Q&A session between CIS and Mr. Cummings overviewing the implementation of the solution

Register now for the Klein School District Cuts Costs With IAM Service webinar.

Date:  March 7th, 2017;  Time:  1pm EST

 


Following a Resource Grant in the RRSD Driver pt 6

February 17th, 2017

This weeks article at NetIQ’s Cool Solutions site is:

https://www.netiq.com/communities/cool-solutions/following-role-grant-rrsd-driver-part-6/

A sixth article in a series that follows the events in the trace files to help understand how the Roles and Resource model works under the covers. This is part of the product that is entirely undocumented.  This particular article is looking at events related to Resource associations.

The entire series can be found here:

https://www.netiq.com/communities/cool-solutions/series/following-a-role-grant-in-the-rrsd-driver/

If you have ever wondered what happens in the IDM engine when you use the Roles model, take a read, you might be informed.


CIS’ Geoffrey Carman Releases his second Book On Identity and Access Governance

February 10th, 2017

CIS is delighted to announce the publication of Geoffrey Carman’s second book, which can be found for purchase here.  Geoffrey is one of the most well regarded and widely read minds in the field of Identity and Access Governance.  His first book, “Definitive Guide to IDM Tokens,” published in 2014, remains the authoritative work on the subject.  For this next effort, Geoffrey focused on creating something he felt was lacking, a manual for IDM Validator, hence the book’s name “IDM Validator:  The Missing Manual.”  The work delves into covers testing methodologies and reviews all actions in Validator with highlighted examples; it is sure to be a fixture in the technical library of anyone working with Validator for years to come.

 

Click here to learn more about CIS’ Identity team and their capabilities.


CIS Scheduled for IT Security/Compliance Presentation to Midtown Regulatory Group

February 3rd, 2017

CIS is pleased to announce that Alex Errico, a Senior Sales Executive who has been with the firm for 3.5 years, will be giving his second presentation on IT Security and Compliance to the Midtown Regulatory Group (MTRG).  The MTRG is a group of over 800 senior compliance and legal officers and lawyers from brokerage firms located throughout the United States that meet monthly to discuss regulatory issues.  Following a very successful introductory discussion and subsequent presentation to the collected group in 2016, Alex was invited back to present to MTRG on April 5th, 2017.  Alex will cover current and emerging trends in the world of IT Security, and will review the numerous ways in which CIS helps clients meet and maintain compliance.

Click for more information on CIS’ Network Security and Data Communications offerings

Click for more information on CIS’ Identity and Access Solutions