Doug White is the chair of Cybersecurity and Networking at Roger Williams University and the co-host of the Secure Digital Life (securityweekly.com) podcast. White has a doctorate in computer information systems and quantitative analysis from the University of Arkansas. He is a certified information systems security professional, certified computer examiner, certified Cisco network administrator, and licensed private investigator.
PBN: How do the recent “WannaCry” ransomware attacks differ from previous malware attacks?
Building a Stronger Heart: Inside South County Health’s Cardiopulmonary Rehab Program
A Heart-Healthy Start to the Year February is American Heart Month—a time to raise awareness…
Learn More
WHITE: This particular ransomware is embedded in a “worm,” which is a program that not only delivers the ransomware payload to a computer but can then use that computer to infect other computers in the network or elsewhere. Most previous ransomware attacks were delivered via email or downloaded malware based on the computer user clicking the file and executing it.
PBN: What can Windows users do to protect themselves from WannaCry attacks?
WHITE: Ensure your version of Windows is patched to the current versions using Windows Update. If you have patched since March, you should be protected from the WannaCry variant.
PBN: Are similar attacks likely in the coming months?
WHITE: Yes. Worm malware is pernicious, to say the least, and is difficult to stamp out since it automatically spreads to vulnerable systems.
The worm component of WannaCry is based on an exploit that is found in unpatched machines. The initial WannaCry attacks were stopped due to a domain problem with the WannaCry malware. The domain was needed in order for the exploit to work correctly, but the malware authors did not own the domain. It was purchased and disabled by a malware analyst and someone subsequently released a new version, WannaCry 2.0, on the dark web almost immediately. This, and other variants, can be modified to continue to infect unpatched systems quite easily.
PBN: How vulnerable are businesses to these kinds of attacks and what do you recommend they do to protect their IT systems?
WHITE: Businesses are particularly vulnerable to poor patching and firewalling. For home users, patching is typically automatic and almost unseen. But in a business, a patch can have unpredictable effects on systems, so there is often a delay in patching systems because of testing and approval processes that must be conducted.
Additionally, businesses are more likely to contain embedded operating systems, which are not installed but rather built into various devices. These may be difficult or even impossible to patch. Home users also tend to use “SOHO-type” firewalls, which are almost always set to block all ports unless otherwise instructed. This is a pretty good defense against worms. Businesses, however, might have open ports, for various reasons, that can subsequently be exploited.
WannaCry uses Port 445 – a port that should not be open and would not typically be open in home use. But businesses, all too often, have ports opened for use. And even when no longer in use, ports might remain open because of an oversight. Multiple points of entry pose an additional threat to businesses. If there are many paths into the network for a multinational operation, a port left open in Hong Kong could allow a network-wide compromise even if the port is closed in New York. Thus, businesses need to do several things:
- Monitor firewall activity and test regularly for open ports;
- Ensure patch management is conducted rapidly and thoroughly;
- Ensure that backups are made, that backups are stored “out of band” (offline) and that backups are regularly tested for viability;
- Maintain multiple backup versions to ensure there is a backup of last resort;
- Ensure staffing is sufficient to monitor and that monitoring of resources (such as US-CERT, Fusion and other outlets) is actually done.
PBN: As co-host of the Secure Digital Life podcast, what are your top pieces of advice for those who believe they might be at risk of future WannaCry attacks?
WHITE: The best survival tip is to have recent out-of-band backups and multiple backup versions in protected storage. If ransomware is encountered and files are stored out of band, recovery is simply a matter of closing a port, patching the systems, restoring backups and bringing them up to date. Home users should ensure they have firewalls, use both antivirus and malware protection (MalwareBytes is free malware protection), and consider using CyberReason (free Ransomware protection).
Emily Gowdey-Backus is a PBN staff writer.
