Ransomware is a C-Level Problem, Not a Hacker Issue

By Special Guest
Paul Warnagiris, CEO and Senior Security Analyst, The Teneo Group
July 05, 2017

Is There a Silver Bullet for Ransomware?

CEOs, CIOs, CROs and business owners.  Listen up for a minute.  If you have never been in the situation where your entire IT infrastructure is down, it’s hard to understand the complete and useless feeling.  You can sympathize, but you can’t understand.

If I could only convey the feeling of uselessness…of second guessing. What could we have done better? How are our backups? Is Best Buy open at 3 a.m. to get jump drive needed to restore a critical system? At that moment when you realize “OH NO!*@# … Every system you have is down.” If I could convey the feeling, the topic of ransomware would be very easy.

Until you are there, you cannot imagine what it feels like.  And if you don’t have good backups, your systems are never coming back up.  Imagine that.

Tales from a Petya Outbreak

We were just called in to assist with another ransomware incident.  Today is a different strain, but the circumstances are mostly the same. 

The story is pretty repetitive and I can tell it in my sleep. It goes like this: the technical people have the expertise, the tools are available, the best practices are clear, but the culture doesn’t allow for basic competence.

Today, all of the technical people down in the weeds are super frustrated.  They have been for years, but the job is OK and it pays the bills.  They all joke about the status of their network. They joke when the most talented of them leave for a better environment. They joke when the headhunters send them emails in the middle of the crisis. They joke because the solutions to their problems are obvious. No one will give them authority to do what they need to do. 

They can’t even get a maintenance window to patch systems.

Today is much more frustrating than most.  Today the Petya virus affected all of their systems. All of their systems.

The Petya virus payload had encrypted the MBR (master boot record).  It's the file that is needed to boot the operating system.  This means that for the next 72 hours there will be very little sleep, a lot of free food (because management feeds them) and a whole lot of frustration.

Why is there frustration? Because as I stated above this could have been easily avoided.  All of the technical people know (or knew before being poached by the headhunter) exactly what to do. The fault lies with the executive management team.

Get involved

CEOs, CIOs, CROs and business owners, listen up.  Your technical people know what to do. If you got hit by the latest strain of ransomware or any ransomware, it means that there were failures on many levels.

Is network, data, email, cloud, apps important to you in running your business? Then stop treating it as an expense line item. These apps and interfaces are more and more the face of your company to the customer.

How is the culture in your IT department? Are they telling you what you want to hear? Ask them what the real problems are. Get HR involved, do 360 feedbacks and review them, seriously.

The IT community is unique in that they have a vibrant online community. They troubleshoot issues and post their solutions. They have developed best practices and standards. They help each other with issues. They are always improving their skill set. Encourage them.

What is your status today?

Ransomware is actually not difficult to stop.  It simply takes support from the top.  I’m going to describe the situation I just found myself in and you can ask yourself if you are in a similar situation.

  • Is your network segmented? 
  • Do you have any visibility to see communication between nodes that communicate within your network (east/west traffic)? 
  • Do you log all communication? 
  • Do you have a patch policy and is it followed? 
  • Do you have advanced threat preventions software enabled? 
  • Do you have a single ingress/egress point?

Any NAs - If you don’t know the answer to these questions, I would recommend revaluating your entire IT function.

  • If you have three or more no’s, and you still rely on anti-virus as a stop-gap, you are likely not in good shape.
  • Two or less no’s, and you are likely in good shape. 

Is it difficult to stop ransomware?  What is the silver bullet?

Is there a silver bullet?  Well, yes and no. There is not one simple thing that you can do to protect yourself; there are many.  If you don’t do any, you are at a very high risk, and if you do four out of five you are probably ok.

At the place I left yesterday, the 12 hours of brain-storming, testing, validating could have all been prevented with a few simple steps.  However, it was the perfect storm.  Patches were not applied.  The network design is flawed.  No advanced threat protections were applied.  There was no visibility to east/west traffic.  There were multiple ingress/egress points and at the remote sites Internet traffic was not even logged.  And to top it all off, there were “any, accept” rules in the firewall (meaning you have a firewall that looks like swiss cheese).

How can we take steps today?

To reconfigure a network after 20 years of existence with hundreds of applications is a very hard thing to do.  I completely understand that.  But if you can’t reconfigure your network properly, take other precautions. 

  • Have a patching policy and stick to it. 
  • Have senior management review the patch and scan results and have them signed off on. 
  • Close off split-tunneling so you only have one door to protect. 
  • If you don’t have security devices protecting your core, at least have visibility into it. 
  • If you can’t reconfigure your network properly put advanced threat prevention systems in place that do not allow humans to mistakenly click on something. 
  • And above all, no matter how much pain it takes clean up your firewall rule base until its configured properly and applications are working.

CEOs, CIOs, CROs and business owners.  Listen up.  You can prevent this from occurring, but it starts with you. 

I don’t know of a single company that has a security mandate from the top that has gotten encrypted.

As always, if you have any questions or concerns about this or if you want to know if you are at risk, please contact us.  We exist to secure your network.  We can at least point you in the right direction.

About the Author

Paul Warnagiris is the CEO and Senior Security Analyst of The Teneo Group, an IT Security Services company. Paul has 20+ years of experience in IT security. This time includes the positions of Network Security at UUNet and CISO at Promontory Interfinancial Network. Paul is the author of Teneo’s mission: To secure the networks and data of their clients.




SHARE THIS ARTICLE
Related Articles

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More

After Cisco/Broadsoft, Who's Next for M&A?

By: Doug Mohney    10/27/2017

Cisco's trail of acquisition tears over the decades includes the Flip video camera, Cerent, Scientific Atlantic, Linksys, and a couple of others. The …

Read More