The day after the down: Malware & Ransomware, what to do next?

It has been some 72 hours of running around already for most IT teams around the world, looking into what happened with this “Wannacry” ransomware and making them feel the same way. Far from over and going back to business as usual, we must still be alert for some time as:


  • In many companies people went away shutting down their computers so, there is still a chance that, when they open their computers on Monday, the virus will still be there.

  • Relations between companies and partners are re-established (as many also cut any links with the “outside” world) when communications are open again viruses may come in again.

So, as mentioned, in most cases IT teams have been putting rules in their firewalls, patching servers and deploying GPOs (Group Policy Order) in Windows so, when computers start up again, they will be installed the latest antivirus, patches, etc…fingers crossed anyway and good luck to all.

But this is not the way to go. I have a saying:

Control the situation, don’t allow the situation control you

What does that mean? Well, rather than leaning back resting our feet on the table (should we have succeeded in this crisis) we have to be conscious at what we didn’t do and we need to do in the future. When we are talking about security and cybercrime it is very difficult to be always ready as the potential intruders and attackers will surely be one step ahead…but lets make sure that they are not too far away from us or there will not be a next time for our IT systems.

Let me give you a few tips as how you can be “better prepared” as noone can warranty you 100% readiness for the next crisis: It is about managing risks. These steps should be of general practise in all companies, not just because of a Ransomware attack but to be ready against ANY attack:

Know your “kingdom” inside out

It is incredible how many people are unaware of what their IT systems are made of. If you don’t know what you are managing, how can you protect it? Make sure you keep up-to-date documentation, diagrams, services dependencies, inventories, etc. Not knowing what you are handling will make you weak as you dont know where things may come from.

Keep your systems up-to-date

Normally attackers take advantage of security gaps and vulnerabilities that are usually remediated through the release and deployment of patches and software updates (as it happened with the last Wannacry ransomware). Make sure you have a policy for patching application in your servers, end computers…but do not forget about other network elements that may bring also your systems down, like firewalls, switches, etc.

Have a backup-strategy

You should always, always…always backup your data. Should your server or end computer be infected you can always go back to a previous version when everything was still working as it should. Don’t neglect this no matter how much your team hates routinary tasks…and check that the backups are done correctly. You don’t want to need them to discover that they were stopped by another service or even worse, deleted to offer space for something else. Also, do not forget to take those backups off-site.

Don’t keep all your eggs in the same basket

Do not use one single server for everything. Try to segment your network and data strategy in a way that, should one of your servers be affected, you still can run other services and access the data. Ideally different departments or final services will be allocated in different instances or servers altogether.

Train your staff on cybercrime

Humans are the weakest points in the security chain. Train them so they are aware of the possibilities of being infected by a virus destroying valuable (an often irreplaceable) information. Clinking on links attached to unsolicited mail, running unknown executables or accessing the sites in internet accepting all cookies or installing add-ons is the best way to fall again in the hands of the criminals.

Test, correct…test again

Even though you may have a security strategy don’t think that everything is done, even if you have done everything mentioned so far. Ask for external help, perform internal and external threat analysis and penetration tests…al this by a third party so there are not conflicts of interest.

Remove out of date equipment

Again, you are as strong as your weakest point. If your devices are at end-of-life and end-of-support chances are that there will not be longer support from the manufactures creating software that will avoid security issues.

Update your systems

It does not matte how well a server perform if it is based on out-of-date software. Running servers on Windows 2003 or computers on Windows XP will make sure those are rendered down at the minimal chance, not needing a very sophisticated malware to do so.

Keep your systems with antivirus…and updated

This should be one of the very basics: Have an AV installed and updated. In many occasions people install the AV but “forget” to pay the subscription hoping that, whatever they were secured against during last year will work in this one and the future to be. Wrong!!! There are continuous new threats and keeping your AV updated will help you in case something wrong comes your way. AV companies spend lot of time and effort keeping up with the “bad people”, so you’d better make use of that effort.

Additional measures

When you talk about security, nowadays the sky is the limit. There are a number of additional things that you may want to consider…if you are serious about cybersecurity.

Hire professionals and train your team

If you don’t have the knowledge to take on board all the necessary measures, hire someone, even if it is on a consultancy bases. It is important that you unfold a strategy around your security, and the sooner the better. Also, keep your team on the know and be open and understandable about your strengths and weaknesses of your team. There is nothing worse than having a team that can not perform during critical situations as they could not tell you the reality when things were running smoothly.

Have a common & corporate strategy and communication

While deploying all these tools, processes and procedures may be a colossal task we must keep in mind that there may be many people in different teams working towards the same goal…but more does not mean better. Sometimes the progress achieved in some places may shadow the advantages somewhere else if people don’t know what they have to achieve, how they have to do it and the common goals they are working for. Communication and collaboration among teams is utmos.

Challenge yourself and your team

When you think that you are fine and things could not be any better, you are in trouble. Being overconfident is the worst thing that can happen to anybody, over all when we are talking about security. Challenge what you are doing, set high goals that may not be part of the business strategy but, as a professional, you owe to pursue. Step out of your comfort zone and achieve certifications for your business that, maybe, were not in the roadmap of your company but will definetely be rewarding (i.e. what about some “ISO/IEC 27000 family – Information security management systems” or PCI-DSS “Payment Card Industry”?)

If you don’t challenge yourself you will never become better at what you do.

Use additional technologies and be innovative in your approach: The “sandbox” solution.

You can seek for additional appliances or solutions. Many people are looking at deploying “sandboxes”. In the old times those were not better than a rely of the information that was going to go to your network, doing some basic scan. Now things have change and, let me tell you, if you can afford it go for it. There are wonderful solutions out there that will take every email or piece of information trying to access your network and will check thoroughly, simulating behaviours like if that file would infect or try to attack your systems, passing those files through virtual computers working like almost any Windows flavour (among some). If you can grab one of those, do it.

Going the extra mile with the old-new kid on the block: Blockchain.

Even though the “blockchain” technology is not something new it is true that is not widely used as a standard in most companies. The first time that this technology was mentioned was in 1991. For those who don’t know it blockchain is a sequential distributed database, mainly used and found in cryptocurrencies derived from bitcoin. However, this technology can be applied to any industry. Those distributed databases work much like in accounting: Every block has its own ledger and whatever information is written can not be changed, ever. Then the next block takes the information from the previous block comparing and continuing with some parameters that will not be altered. Any change on those will mean that the chain has been “touched”, thus going back to where the information was kept sequential. Even though, as mentioned, the technology dates back to 1991 it has, until now, very little implementation. Experts reckon that once this is implemented more generally it will become the standard for serious transactions and to keep data safely.

So, there are plenty of things that a professional can do to try to be safe from attacks. Sometimes it will not be enough but, for sure, you will be in a much better position being able to provide your company with a solution should your systems fall.


1 Trackback / Pingback

  1. Inseguridad IT: La “Ñapa As A Service” – Blogging the world

Leave a Reply