IT Audit Team Member

During the last several days, companies and organizations around the world were reeling from a ransomware attack that, according to some estimates, could cost as much as $4 billion in damages and payments. The attack, which was carried out through the use of a piece of malware called “WannaCry” or “WannaCrypt,” targeted more than 200,000 computers in more than 150 countries and included many hospitals and health care organizations. Britain’s National Health Service was forced to delay some surgeries due to the attack.

During ransomware attacks, hackers seize control of computers and threaten to destroy data unless a payment is made. The ransom is often demanded in hard-to-trace payment methods, such as bitcoin or other virtual currencies. Ford Winslow, CEO of ICE Cybersecurity, says ransomware attacks are becoming more common and increasingly menacing. “They are among the most serious types of attacks because they can be completely disabling to a company or organization,” he says. He also says they can be particularly jarring to employees who may suddenly get a message on their screen demanding a payment.

What’s troubling about the WannaCry is that it mainly exploited a vulnerability in computers running older versions of Windows. The vulnerability was identified months ago and Microsoft issued a patch for it in March, meaning the problem could have been avoided by following some fairly standard IT security procedures.

The high-publicity attack has many companies reviewing their protections against ransomware and other cybersecurity threats. Ford provided five preventative controls that IT audit should ensure are functioning properly.

1.Ensure Updates and Patches Are Being Applied
Many have marveled at the idea that the dramatic effects of the WannaCry ransomware attack could have been prevented by a simple patch that Microsoft released two months before the concerted attack.

Yet, updating versions and applying patches isn’t always as simple as it sounds. “Typically, when updates and patches aren’t applied it’s not because the IT department is being lazy, it may be because they don’t have the authority,” says Ford. In certain highly regulated industries, for example, companies must win approval for systems running certain versions of software and they aren’t free to change them without regulatory approval.

Medical devices, power and water utilities, and banking are some of the industries that could be affected. Ford says they need to ensure that they are building updates in the regulatory validation process.

IT departments also can’t provide updates and patches to devices and technology they don’t know they have, such as unauthorized laptops, mobile phones, and other employee-owned devices. “You need to test the security scanning system to make sure it is picking up rogue devices that connect to the network,” says Ford. He also advises IT auditors to conduct an assessment of the inventorying process. And, he says, don’t forget connected internet of things (IoT) devices, such as TVs, thermostats, voice-activated speakers, and other connected devices that need to be updated and security vulnerabilities patched.

The WannaCry attack also provides a good reminder of the risks to running old software that may no longer be supported by the issuer, meaning flaws and vulnerabilities are no longer being fixed.

2.Test the Data Backup System … No, Really Test It
Ransomware targets an organization’s or individual’s critical data and holds it hostage by encrypting it while demanding a ransom be paid to an anonymous account. Having an effective backup system that allows for a copy of the data be retrieved means you can ignore the demands, right. Well, yes, but only if it is effective.

According to Ford its quite common for the automated backup system to fail during a ransomware attack. He cites two problems: The first is that the backup system is also attacked. The virus gets backed up, due to a poorly designed system, and that data is inflicted as well. The second common problem is that the backup system isn’t working properly and the data can’t be retrieved. “A properly architected backup system is a critical element of a ransomware defense, but it has to be tested to make sure everything works,” says Ford.

Delta Airlines, for example, found out the hard way last August when a critical data center near its headquarters in Atlanta failed due to a small fire. The fire caused an electrical surge and loss of power to its central computer system. It was later found that about 300 of Delta’s 7,000 servers were not properly configured to the backup power, causing the failure, which resulted in more than 2,100 cancellations and even more delays.

Ford says a problem like Delta’s can usually be identified with a full test of the backup system. “It’s a little scary, but you have to pull the plug and see if what is supposed to happen happens,” he says.

3.Conduct a Phishing Campaign
While the WannaCry ransomware attack didn’t come from a phishing attack—where a malicious e-mail from an attacker attempts to fool someone into clicking and opening a piece of malware—many ransomware attacks do. Many companies are conducting extensive training and education programs to teach employees to identify suspicious e-mails and to be more skeptical of e-mail in general. Ford recommends running a security phishing campaign, “to determine who is most likely to click on this stuff.” He says that training can be targeted to those who repeatedly fail phishing tests. “That’s proven very effective. Those who fail tests and don’t get training are about 90% more likely to be the victims of a phishing scam,” says Ford.

4.Check your Anti-Virus Protections
According to Ford, anti-virus software is still a big part of a ransomware defense. “This seems like a no-brainer, but you would be shocked by how many organizations either skimp on anti-virus protection or don’t have it installed in all the necessary equipment. They may buy the right tool and then deploy it in only 10 percent of the environment.” Ford says it’s important to have a version that’s relatively easy to deploy. He also says it again

5.Ensure Someone Is looking at Vulnerability Reports
Another problem at many companies is that they may have good monitoring and detection methods in place, but no one is paying attention to what they are saying, or the reporting mechanisms are ignored or not configured in a way that gets the attention of those who can do something about it. “You have to have a good vulnerability scanning capability, but it’s useless if it’s being ignored,” says Ford.

He says, for example, that a vulnerability scanning system would have easily identified the vulnerabilities that were used by hackers in the WannaCry attack. They are also capable of identifying software in use at the organization that is no longer being supported or patched. “It’s pretty easy technology to deploy.”

What is, perhaps, the scariest aspect of the WannaCry attack is that it hit a vulnerability that was already known and it targeted old technology. Ford says we should expect more sophisticated attacks that target all types of systems. That doesn’t mean he thinks the situation is hopeless. “It’s going to get worse before it gets better,” Ford says. “But it will eventually get better.”