About WannaCry/Wcry/WannaCrypt

This week a major global ransomware attack  is reported,know as “WannaCry/Wcry/WannaCrypt

What is WannaCry/Wcry/WannaCrypt ?

The ransomware is spread using the known and patched vulnerability MS17-010 ( an SMB Server Message Block protocol) and researchers tell that the encryption used in “WannaCry/Wcry/WannaCrypt” ransomware is RSA-2048 which mean the decryption is impossible, unless there is a flaw in code of ransomware. This variant of ransomware will make System unusable unless a ransom was paid.

Who will be infected?

Systems where SMB Protocol is enabled and where the latest patch MS17-010 which addresses the vulnerabilities in SMBv1 is not installed.

Indications of Compromise ?

Files created:

  • %SystemRoot%\mssecsvc.exe
  • %SystemRoot%\tasksche.exe
  • %SystemRoot%\qeriuwjhrf
  • b.wnry
  • c.wnry
  • f.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • u.wnry
  • taskdl.exe
  • taskse.exe
  • 00000000.eky
  • 00000000.res
  • 00000000.pky
  • @WanaDecryptor@.exe
  • @Please_Read_Me@.txt
  • m.vbs
  • @WanaDecryptor@.exe.lnk
  • @WanaDecryptor@.bmp
  • 274901494632976.bat
  • taskdl.exe
  • Taskse.exe
  • Files with “.wnry” extension
  • Files with “.WNCRY” extension

Registry keys created:

  • HKLM\SOFTWARE\WanaCrypt0r\wd

Preventive Measures?

The below measures can be taken, to prevent or reduce the likelihood of system getting infected by ransomware.

Technical Controls

  • Ensure all your Anti Malware, Anti-Virus systems are updated with latest signatures and virus definitions and inspect all the traffic at host level.
  • Ensure all your security patches for the systems are installed and applied.
  • Ensure UAC (User Access Control) is enabled on windows and set to “Always Notify”.
  • Enable Operating System to show file extensions, so that end user identifies the difference between the infected and non-infected files
    • Sample files names:
    • pdf – Non Infected file
    • pdf.exe – Infected file
  • Ensure Auto Play is disabled on the Systems.
  • Ensure Active X and macro features are disabled working with Microsoft applications.
  • Ensure SMB is disabled on Systems.
  • Block all the suspicious domains and destination locations on your network security devices.
  • Block all the executable files running from form the following folders %APPData%,%TEMP%,%LocalAppData%,%ProgramData%
  • Block all the Peer to Peer connections, which will prevent from infected systems sending/communicating to CNC servers.
  • Implement email security features like DMARC (Domain-based Message Authentication, Reporting & Conformance), SPF (Sender Policy framework) and DKIM (DomainKeys Identified Mail).
  • Install Microsoft EMET (Microsoft Enhanced Mitigation Experience Toolkit) along with your preferred antivirus.

Process Controls

  • Build an efficient Backup process, which should include 3-2-1 backup rule. Have at least three copies of the most valuable data, keep two of them on different external media, and store one copy offsite. Conduct regular testing of your backup data.
  • Implement computer emergency response team and they should
    • Identify the security incidents
    • Prioritise the incidents
    • Record all the incidents and manage them for a better understanding
    • Remediate the incidents with appropriate controls
  • Security Awareness Training Programmes

Detailed Analysis from Microsoft is Available at

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

 

 

“Monkeys” for Proactive Cloud Management

IT has been pushed to move from reactive to proactive in management and maintenance for more than a decade now.

With advent of models and technologies – such as cloud, big data, IoT – and with the significantly enhanced focus on automation, innovative steps are being taken for the management of the IT systems and resources as well.

Service providers such as Netflix, are leading such waves in the innovative approaches to be proactive in managing IT resources.

For instance,  a set of special services called Monkeys are created on AWS environment by Netflix engineers to manage the IT resources on AWS environment, proactively. These set of Monkeys together are called the Simian Army.

Though created and tested on AWS and some other platforms, it is supposed to be usable in other compatible platforms as well.

There are many types of Monkeys (currently) created and used by the engineers in Netflix. Some of the key ones are :

  • Chaos Monkey:

This Monkey (Service) is aimed at proactively automating resolution of and recovery from failures.  It randomly terminates virtual machine instances and containers that run inside of your production environment (Mind it – Not in a simulated or testing environment. Hence don’t try this on an environment without adequate resilience built in).  This is evolved from the thought process that exposing engineers to failures more frequently incentivizes them to build resilient services. Also, automating recovery from those “triggered” random failures during office hours can help them to avoid the need of manual resolution/recovery intervention at odd hours!

Further details of this can be found here:

Description on Netflix’s application of Chaos monkey can be found here:

There is another service called Chaos Gorilla, which can create outage on a whole Amazone availability zone!

  • Janitor Monkey:

This Monkey is a service which runs on AWS cloud looking for unused resources to clean up (a very important activity in cloud administration to ensure cost effectiveness and optimization). It determines whether a resource should be a cleanup candidate by applying a set of rules on it. If any of the rules determines so, Janitor Monkey marks the resource and schedules a time to clean it up. The owner of the resource will receive a notification a predefined number of days ahead of the cleanup time, so that, if required, he/she can authorize an exception and prevent it from cleaned up.

 Further details of this can be found here:

  • Conformity Monkey:

This Monkey  is a service which runs on AWS cloud looking for instances that are not conforming to predefined rules, standards or best practices. It determines whether an instance is nonconforming through application of a set of rules on it. If the instance is found not conforming, the monkey sends a notification to the owner of the instance.

 Further details of this can be found here:

  • Security Monkey:

This Monkey  is an extension of the Conformity Monkey, specifically looking for security violations and vulnerabilities.

  • Doctor Monkey:

This Service keep checking the health of each instances through specified parameters (such as CPU utilization).

More info on these and other monkeys used by Netflix as a part of their Simian Army can be read here.

Detailed guide on setting up a Siman Army is also available here.

Happy Monkeying!

Software Piracy – A Mammoth Challenge

We always hear about companies getting penalized for software piracy breaches.

But the real question to be asked is:  Why do individuals or companies use pirated software’s even after the product companies and regulations are increasingly offensive on such piracy.

Some of the reasons could be:  the high cost of the product, inadequate monitoring controls, prevalent culture or ethics in terms of individuals and companies.

Why would companies want to pay heavy fines for piracy breach even when there are alternatives in the form of open source?  If financial or economic factors were leading to software piracy, then lowering the cost of software by product companies could be a possible solution, which would have an adverse impact on the product company in terms of revenue.

But in fact, cost does not seem to be the prime factor what leads to software piracy. The main reason for software piracy would be the fact that digital assets are not valued much compared to traditional or tangible assets. It is this perceived low value which actually makes people to devalue a product and get into the piracy game. Access to internet makes it easy access to pirated software’s.

There are various different mechanisms used by the product companies to manage the piracy issues, including:

1) Copy Protection of the source by making it difficult to copy/replicate to different media

2) Licensing model in which the product would require a product key (software or hardware) to function

3) DRM which would require a connection between the server and the client

But these methods have their own drawbacks and are not fool proof in today’s age for a product company to prevent software piracy.

So then, what should a company do to prevent piracy?

This is a debatable topic which requires more focus in the Information Security arena.

In fact, the solution would boil down to changing the perception on how a software/product is valued by individuals or companies who are using such products. Companies must define their own Governance and Compliance Policy to ensure that they are not breaching any software agreement.

Some of the simple governance steps to avoid breaches and ensure software and licensing compliance could include:

1) Use software management system to track their usage of software/licenses

2) Perform audits or use audit tools to ensure compliance

3) Provide awareness to the employees about licensing and software purchase

4) And more importantly, purchase the required software and adequate licenses

Software piracy is complex and needs to be studied in more detailed manner to have a comprehensive solution to this mammoth challenge.

Cybersecurity: Will curiosity kill the cat?

A lot have been talked and written about Cybersecurity these days.

The buzz has, without any doubts, boosted the curiosity and anxiousness among people and organizations all around the world to yet another, higher level.

Call it by any name… Cyber-attack, Cyber-bully or Cyber-crime had more or less always remained the same… to obstruct achievement of legitimate process or activity. Moreover, it is not something newly identified – it has been there ever since the first computer was made. So what has caused a sudden hype? As systems and network technologies evolved and became more reachable… the information stored within them became more and more vulnerable.

Imprecisely speaking, every cyber-attack or cyber-crime which has been revealed in the past, indicated possibility of exploitation of new or existing vulnerabilities that organizations should remediate and make themselves stronger.

So much to learn from others’ mistakes, isn’t it?

Sometimes one tends to wonder what those unfortunate organizations had to go through, whose systems were exploited and information breached. Some of them, as we know, did not sustain for even a year and had to give in to the dust. It is sad!

Talking about Cybersecurity, at one hand we see an awkward and unreasonable state of anxiousness among people to overprotect their Network and Security regiments, which I presume could be a precursor to commit errors in oversight. On the other hand, there are others, who are like fire-fighters. They won’t move or act until a real-time attack or incident occur which in turn could be lethal for the organization.

So how does one strike a balance in such a wide spectrum of approaches, to get optimum, round-the-clock security and don’t really have to be overwhelmed with the arrangements?

This is where Cybersecurity crops up in the BIG picture.

Let us clarify here… Cybersecurity is NOT about having a “new policy” defined and enforced within an organization. It is about how well the organization complies with existing security policies and procedures in relation to corporate Information, Internet, Network and Systems. All we need is to be careful enough to ensure we do not miss the bare minimum checks, report and take corrective actions for any deviations. Not a radical change, but a comprehensive approach to ensure our information is protected, built on existing and established Information security systems’ foundation.

I will also be talking about further aspects of Cybersecurity in my next blog, so don’t miss-out. And don’t forget to leave any feedback or comments on this topic.

See you soon!

Methods to identify the internal & external issues of the organization for ISO 27001:2013

The clause 4.1 of the standard requires identifying the internal & external issues of an organization. But the standard doesn’t tell how to perform the same.  The simplest way is to list down all the internal & external issues. But this may not be exhaustive as there are likely chances that we miss some of them. Hence, it is always recommended to go by a structured approach. The two possible approaches from my viewpoint are;

  1. Mind maps: Create a mind map that depicts the various internal & external issues. For creating the mind map, you may discuss the internal & external issues with all the relevant stake holders, try to get as much possible information as you can. You may also refer the information diagram developed. While performing the activity keep the internal & external context in mind & try to relate the inputs to them. Once the mind map is developed, you can tabulate the same.
  2. SWOT & PESTLE Analysis : You can do a SWOT (Strength, Weakness, Opportunities & Threat) for finding the internal issues and  PESTLE (Political , Economic, Social, Technological, Legal, Environmental) for finding the external issues

While identifying the internal & external issues, I recommend doing it at an organizational level considering the organization as a whole, although our focus is to find the issues that can affect the information security management system. Once the issues are identified you may pick those relevant to information security. This activity will also give inputs to your risk assessment as some of the issues identified will have to be mitigated during your risk assessment.

What is Context of the Organization for ISO 27001:2013?

The best way to start with context of the organization is with an information flow diagram as explained in my previous blog. This will give a clear idea on the organization as a whole & its constituents. For better understanding, let us split the context into internal & external.

Internal – Internal context of the organization constitute the work culture, internal practices, organization structure, policies, processes, organizational values, objectives, resources, business strategies, expertise & capabilities etc.

External – External context includes factors that constitutes market competition , differentiators, supplier/vendor relationships, market trend, political situation where you operate, clients, environmental aspects, social & cultural aspects, legal & regulatory commitments, relationship, external stakeholders, requirements from all the interested parties, etc.

In brief, context of the organization includes all the internal & external factors that can have an influence on its existence & activities.

For ISO 27001, context of the organization is all the factors mentioned above that has an influence on achieving the objectives set forth by the information security management system of the organization.

You may also refer Clause 5.3 of ISO 31000:2009 for guidelines pertaining to internal & external context.

How to start with Context of the Organization in ISO 27001:2013 ?

One of the key changes in 2013 version is that, the standard  urges to understand the organization before defining the scope of the information security management system. This is referred to as Context of the organization in Clause 4. Perhaps this is the most relevant change that was required for implementing the standard from a real sense.But there are always confusions on how to tackle this requirement. The best approach from my viewpoint to start with is

  1. Initial Discussion: Have a discussion with a stakeholder(s) who has an overall idea on the entire organization. You should be very particular in selecting the person, a resource with a fair understanding of the processes and has an overall idea of the organization will be the best choice
  2. Information Flow Diagram: The next step is to create an Information Flow Diagram. The Flow Diagram should clearly depict the departments/entities along with the flow of the data.

The advantages of this approach are

  1. The entire organization is covered & it is very unlikely that we miss any functions/process/department
  2. There will be more clarity on the scope that needs to be defined
  3. This can also give inputs to the Risk Assessment