IT Center Blog: WannaCry Lessons and Practical Recommendations of IT Center Engineers
IT-Center Logo
IT Center site title

Hello, this is IT Center Blog.

Company news from the first hand: everything that happened in IT Center yesterday, the day before yesterday and last Thursday. All publications are cleaned from white noise and synchronized with RSS feed.

Useful Mailing

IT tips and cases for your business, every 10 days, without water, without spam.



Recent

Tags

WannaCry Lessons

24.07.2017

«After all, He‑Who‑Must‑Not‑Be‑Named did great things — terrible, yes, but great.»

Garrick Ollivander, proprietor of Ollivanders in Diagon Alley

The WannaCry virus is a file encryption program. The cipherers themselves are well known, so consider the personal properties of WannaCry.

How does infection with WannaCry virus occur?

WannaCry is capable of self‑replication on other computers using the Microsoft Operating System SMB protocol vulnerability.

In fact, it means that the computer does not need any more active actions from the user's side: the virus is launched and subsequent infection occurs on computers accessible to the infected machine through network interfaces. Antivirus with a personal firewall will not save in this situation.

The infected computer scans the local network around itself and tries to transfer the virus to neighboring computers. If there is no firewall or router between this computer and the Internet network with a simple translation of the address, then for such a computer the concept of a local network expands to the Internet. Beautiful and terrible.

WannaCry VS «normal virus»

WannaCry is a program with a delayed start. At first this virus spreads to computers accessible to itself and, without any manifestation, expects an hour «X» to begin encryption of user data.

Traditional cryptographic viruses begin encryption of the infected computer immediately after infection. System administrator-professionals learn about this immediately and quickly take the necessary actions.

WannaCry encrypts files with reliable cryptographic algorithms. Traditional cryptographers act in a similar way.

How to minimize the likelihood of infection with WannaCry

  • Use the legal software and get the necessary updates on time.
  • Hire qualified technical personnel to set up and operate the information systems of your companies.
  • In time, install operating system updates. Install and update the anti‑virus package on time. Work under an account without administrative privileges.
  • Do not connect to public networks, work on the Internet, while behind a firewall with a private IP address. Even if it is inconvenient.
  • Practice a serious backup. «Backup to a USB flash drive» is not a backup at all.

The list of recommendations is easy to continue: use advanced personal firewalls, practice multifactor authentication, work inside special virtual machines, use hardware and software solutions from different manufacturers.

However, we understand that the expanded list is available only to professionals. It will be inconvenient for ordinary users to follow these recommendations.

Information Security Policy IT Center and WannaCry

IT Center customers were not harmed by WannaCry's actions. IT Center engineers follow the information security rules outlined above. In addition, IT Center Cloud uses network segmentation of resources within the data center, distributing the cloud structure relative to the risks of infection: segments with ARP filtering, filters at all levels of the OSI network model.

Nevertheless, the IT Center technical experts conducted an infrastructure audit and made changes to the network topology of IT Center Cloud equipment.

After analyzing the actions of WannaCry, the engineers selected a separate network segment with a firewall, the IT Center Cloud backup server moved abroad. The firewall is implemented on a fundamentally different operating system from a fundamentally different manufacturer.

The use of cross-platform solutions complicates the maintenance of the cloud and increases the cost, the requirements for the qualification of engineers become more serious, but for the attackers it is also a serious problem.

We have no illusions about the quality of modern software. IT Center engineers have prepared a script in case there is a vulnerability through which a virus has already spread, waiting for its hour to begin destructive actions.

The script contains a sequence of steps at the time when the operating system developer has not yet released an official update. The main character of the script is a backup copy on several media of different nature. This will minimize the simple and potential financial loss of customers.

Conclusions

In each old city, built on the water, there are special posts with serifs and dates. These marks indicate to what level the water reached the previous flood. For some time local residents do not build anything below these marks, but gradually the sense of danger is dulled, and we get a new historical testimony about the destructive power of another flood. The same will happen with WannaCry, if you forget about the «marks».

On the other hand, in matters of minimizing risks, one should not go to fanaticism. The cost of preventive measures should not exceed the cost of data loss. And administrators who are convinced that the «safe computer — the switched off computer» should be cut off even when receiving the team. A computer is a work tool, not a nightstand.

© 2009–2017 IT Center

129347, Moscow,
Prokhodchikov street 16, build 1,
Wesendorf Business Centre

tel.: +7 (495) 120-0-129
e-mail: info@it-cntr.com