We know a lot more today about the latest popular cyber-attack (Petya, NotPetya), now that time has passed and many truths about Petya have come out. It is interesting to look at what we know today and how things are dramatically different from the initial reports of a rapidly spreading ransomware attack replicating by phishing emails. When it comes to any sort of emerging cyber-attack, it is important that details about the attack are published and published quickly. Although we need to stop jumping to conclusions and try to avoid publishing pure opinion that lacks data to back it up. There is a concerning amount of sensationalizing of news that we expect in the mainstream media creeping into cyber news reporting.
Outside of the erroneous reports about Petya, security professionals and executives should be concerned with a couple of other things. The most recent attacks were accomplished by exploiting known vulnerabilities that had published patches available for months. It would be completely understandable if the attack vector were accomplished with zero day attacks, as there is no amount of technology to prevent all such attacks.
It concerns me that the latest attack turned out to be a wiper and I would feel better if the intent was for financial gain rather than just causing destruction and disruption. Petya is a wiper intent on spreading within an environment to simply destroy data and systems. The initial attack vector was through updates of Ukrainian accounting software and I’ll have more on that in a future blog.
I’ll wrap up with some bullet points on how companies and individuals can prevent and recover from these types of attacks.
- Patch, patch and then patch again. Patching is one of the most challenging things as a “bad” patch could cause business disruption but an unpatched system could destroy a business.
- Educate your users immediately on how to be suspicious of each and every email they receive. Be aware of all websites and their potential for infection. Engage users to become the front lines.
- Develop disaster recovery plans that include backing up data on a regular basis and the steps needed to return to full operations.
- Restrict access to data by using the concept of least access to reduce the amount of potential attack points. It is less about restricting access to employees and more about reducing the number of attack points available to the bad guys.
- Review your firewall rules on a regular basis. Restrict inbound and outbound ports available through firewalls by only allowing what is needed. Block everything at first then open up as needed.
- Deploy and keep your AV and endpoint protection software up to date.