One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 367940 |
| Date de publication | 2017-05-23 14:59:46 (vue: 2017-05-23 14:59:46) |
| Titre | What did we Learn from WannaCry? - Oh Wait, We Already Knew That!, (Tue, May 23rd) |
| Texte | In the aftermath of last weeks excitement over the WannaCry malware, Ive had a lot of lessons learned meetings with clients. The results are exactly what youd expect, but in some cases came as a surprise to the organizations we met with. There was a whole outcry about not victim shaming during and after this outbreak, and I get that, but in most cases infections were process failures that the IT group didnt know they had, these lessons learned sessions have contributed to improving the situation at many organizations. The short list is below - affected companies had one or more of the issues below: 1/ Patch Plain and simple, when vendor patches come out, apply them. In a lot of cases, Patch Tuesday means Reboot Wednesday for a lot of organizations, or worst case Reboot Saturday. If you dont have a test the patches process, then in a lot of cases simply waiting a day or two (to let all the early birds test them for you) will do the job. If you do have a test process, in todays world it truly needs to take 7 days or less. There are some hosts that you wont be patching. The million dollar MRI machine, the IV pump or the 20 ton punch press in the factory for instance. But you know about those, and youve segmented them away (in an appropriate way) from the internet and your production assets. This outbreak wasnt about those assets, what got hammered by Wannacry was the actual workstations and servers, the hospital stations in admitting and emergency room, the tablet that the nurse enters your stats into and so on. Normal user workstations that either werent patched, or were still running Windows XP. That being said, there are always some hosts that can be patched, but cant be patched regularly. The host thats running active military operations for instance, or the host thats running the callcenter for flood/rescue operations, e-health or suicide hotline. But you cant give just up on those - in most cases there is redundancy in place so that you can update half of those clusters at a time. If there isnt, you do still need to somehow get them updated on a regular schedule. Lesson learned? If your patch cycle is longer than a week, in todays world you need to revisit your process and somehow shorten it up. Document your exceptions, put something in to mitigate that risk (network segmentation is a common one), and get Sr Management to sign off on the risk and the mitigation. 2/ Unknown Assets are waiting to Ambush You A factor in this last attack were hosts that werent in ITs inventory. In my group of clients, what this meant was hosts controlling billboards or TVs running ads in customer service areas (the menu board at the coffee shop, the screen telling you about retirement funds where you wait in line at the bank and so on). If this had been a linux worm, wed be talking about projectors, TVs and access points today. One and all, I pointed those folks back to the Critical Controls list (https://www.cisecurity.org/controls/ ). In plain english, the first item is know whats on your network and the second item is know what is running on whats on your network. If you dont have a complete picture of these two, you will always be exposed to whatever new malware (or old malware) that tests the locks at your organization. 3/ Watch the News. .... And I dont mean the news on TV. Your vendors (in this case Microsoft) have news feeds, and there are a ton of security-related news sites, podcasts and feeds (this site is one of those, our StormCast podcast is another). Folks that watch the news knew about this issue starting back in 2015, when Microsoft started advising us to disable SMB1, then again last year (2016) when Microsoft posted their Were Pleading with you, PLEASE disable SMB1 post. We knew specifically about the vulnerabilities used by Wannacry in January when the Shadowbrokers dump happened, we knew again when the patches were released in March, and we knew (again, much mor |
| Envoyé | Oui |
| Condensat | *after* 100 2015 2016 23rd 60s 80s =============== about access active actual add admin admitting ads advice advising affected after aftermath again ago air all allow alone already always ambush another anything apply appropriate approvals april are areas arent assets attack attribution away back backed backing backup backups bank based been being below below: best between billboards birds board boils budget building but call callcenter came can cant case cases center central cisecurity classic clear clients clusters coffee come comes coming comment common commons companies company complete compugen concept contributed controlling controls creative critical crystal customer cycle data day days deliver denies deny denying did didnt disable disabling document does doesnt doing dollar done dont down drastic drives dump during early edu either else emergency enforce english enters ephemeral especially even event everyone everything exactly exceptions excitement expect exposed factor factory fail failing failures fair fall feeds file finds finger firewalls first flood/rescue folks forever form found from funds generally get getting give good got group guaranteed guess had half hammered hands happened have health holds hospital host hosts hotline hours https://isc https://www image imaging implement improving incident includes industry infected infection infections instance internet inventory isnt issue issues item its ive january job just keep knew knock know known last learn learned less lesson lessons let license likely line linux list live local locally locks longer look looking lot machine mail make malware management many march may mean means meant measure media meetings menu met microsoft military million missed mitigate mitigation months more most move mri much must need needed needs neither network networks new news nicely noncommercial normal not now nuke number nurse off offline often old one only operations orbit org/controls/ organization organizations other out outbreak outcry over past patch patched patches patching people permit picture place plain plan pleading please podcast podcasts pointed pointing points post posted practical press print process production projectors protocol pump punch put putting realize really reboot recovering recovery redundancy refresher regular regularly related released remediation response responsibility responsible restores restriction results retirement revisit risk rob room rules running said same sans saturday schedule screen second securing security see seems segment segmentation segmented server servers service services sessions set shadowbrokers shame shaming shares shop short shorten should shoulders sign significant signoff similarly simple simply since site sites situation smb smb1 some somehow something sometimes sort specifically sql staff staffing started starting states stations stats storage storing storm stormcast stuff subnets suicide sure surprise tablet tabs take talking team telling test tested tests than thats them then these theyre thing things those though time to: today todays told ton tools tough truly tue tuesday tvs two united unknown update updated use used user users vandenbrink vendor vendors version very victim vulnerabilities wait waiting wannacry wasnt watch way wed wednesday week weeks well went werent weve what whatever whats when where who whole widespread will windows wipe wont work works workstation workstations world worm worst year years youd your youve |
| Tags | Guideline |
| Stories | Wannacry |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.