Defending Computer Networks Against Attacks – Research Project

Part 1- Researching Network Attacks

1.WannaCry attack is one of the biggest ransomware attack that has happened in the recent past. A ransomware is a computer malware that prevents users from accessing their computers  or files until a ransom is paid. WannaCry ransomware works by encoding data on the victimized computer. As a computer worm, WannaCry spreads quickly through the computer networks and infects Windows computers. It then encrypts computer files that are saved on the hard drive and then tells the user that their files have been encoded and they should pay a ransom payment displayed on the screen by the worm in form of Bitcoin for the data to be decrypted back to its original state [1]. As such, WannaCry restricts access to your computer files or computer  network and makes threats  to erase  all your data within an allocated time  if you fail to pay the ransom [2]. In May 2017, which is the year the attack occurred, it infected the NHS as well as other organizations all over the world including governments in Russia, China, US and Europe [3].

2.WannaCry ransomware spreads through an exploit referred to as EternalBlue in old versions of Windows operating systems. Apparently, Eternal Blue was released by a group of hackers called Shadow Brokers just before the attack started propagating [4].  EternalBlue is an exposed NSA SMB protocol exploit in Microsoft Windows that propagates the malware in affected systems [5]. After infecting the first computer system, that ransomware spread very first through mail attachments, images, pdfs, links, message links and more as it had a mechanism to spread itself across the Internet automatically. Most of the computers running on unsupported and unpatched versions of Windows OS and servers were affected.  The WannaCry attack started on a Friday, 12 May 2017, with the initial infection likely to have started with a vulnerable and exposed SMB port. After just one day since the attack began, the malicious code had spread and infected over 200000 computers in more than over 150 countries across the globe [6].

3.The impacts of the WannaCry were huge in May 2017.  For example, the attack affected one of the largest telecommunications company Telefonica in Spanish.  It also affected computer systems in National Health Service, Britain resulting to the cancellation of hundreds of thousands of critical operations appointments. The WannaCry ransomware also infected thousands of Windows systems in about 150 countries. Some of the most affected countries included Ukraine, Russia, India and Taiwan [7].  WannaCry attack damages were estimated to range between several millions to billions of dollars across the globe. The impacts of the attack for organization is destructive and can lead to the pausing of all business operations. Since it encrypts computer systems and file systems, an affected organization cannot be able to access critical documents and computers. The effects include the fact that the organization would be stuck with system downtime, loss of customers and loss of revenue.  Some key steps that organizations can do to protect themselves against WannaCry attack is to ensure they use updated software’s and install security patches as soon as they are released [8]. Companies should also implement continuous network monitoring in order to inspect network susceptibilities and vulnerability. When caught ahead of time, such risks can easily be mitigated                                                                                                                             

4.Incident response planning

Incident response planning focus on ensuring that an incident is reported to the right party in the organization in the event of a disaster or tragedy. It includes incident assessment, evidence and response strategy [9]. An example includes reporting the matter to the company management as soon as an attack is detected so that the right response can be done to restore operations.

Disaster recovery planning

Disaster recovery planning involves mechanisms and procedures that need to be implemented in the event of a tragedy. In the event of a cyber-attack, the company should implement some mechanisms listed in their disaster recovery plan such as using backed up systems to ensure the business is restored to operative state in the least time possible. For example, starting backup implementation as soon as an attack has happened.

Business continuity planning

Refers to a strategy that ensures the business will be able to recover from a disaster such a cyber-attack or a natural disaster [10]. For instance, setting aside some cash to help restore the business to recover from  the attack.

5.There are several measures that I can take to protect my laptop or PC against a WannaCry attack including the following:

1. Installing software security patches for software’s
2. Keeping and maintaining   backup of all my critical  data and information

• Make sure to use  reliable security applications and enable system monitoring on my computer  

1. keeping all my  software applications  updated always
2. Properly handle all  emails and   attachments  and refrain from opening suspicious emails
3. Store  sensitive data privately and  independently together

• Report any  ransomware attack to local authorities in the event that it occurs                                                                                                              

6.The WannaCry ransomware   caught the world by surprise and taught us a few lessons.

1. It is important to train users on how to use IT and Internet technologies. According to research most security breaches attacks occur when employees click on infected attachments, malicious links, and compromised sites or fail prey to social engineering attacks.  Workforces are the weakest link to cyber security and it is important to train them against phishing and associated attacks[9] .
2. It is not okay to pay a ransom demanded through a ransom ware as it would only encourage more attackers to create more destructive network worms [10]

• It pays to use licensed and updated software’s

1. It is crucial to install software security patches once they have been released
2. Data backup and recovery measures are very important for modern businesses                                                                                                                  

7.If an organization in Australia is affected by an attack, the main point of contact affected is the business itself. Firstly, it can no longer be able to serve its clients and loses a lot of money. Not only will the organization suffer on its own, even the organization clients too as they can’t be able to access the company products and services and especially if it was an e-business. The attack would also affect the country as a whole as a lot of money can go into recovery processes. Business loss means the country will also lose in terms of taxes.

Memorandum

To: TKU Company

From: Security auditor 

Subject: Security concern for TKU Company Server

Date: May 25, 2018

Upon the successful monitoring of your company systems, it has been found out that the status of the systems security for TKU Company is wanting and very vulnerable. The server is in control of a contractor who was hired to perform an upgrade. The following risks have been observed:  

1. Lack of proper security policies and procedures of company systems
2. Lack of the implementation of current security procedures

• Company systems could have been infiltrated through a social engineering attack where the IT admin was manipulated into giving away the server password to a third party service provider

1. Sensitive server data and information is not encrypted
2. Lack of a strong password to secure company  server
3. IT admin may not understand the social engineering attack as they gave the password through the phone to an outside party, a contactor  

As such, the auditor recommends the following measures to be done immediately:

1. Secure server with a strong password
2. Train IT and other staff on the importance of security of business systems

• Perform in house server upgrades if possible

1. Train employees not to release any sensitive information such as login credentials to unauthorized persons as they could be hackers or attackers
2. Store data in encrypted format
3. Perform regular data backups

• Create and ensure all workers follow IT policies and procedures

References

[1] J. Fruhlinger, “What is WannaCry ransomware, how does it infect, and who was responsible?,” CSO Online , 27 September 2017. [Online]. Available: https://www.csoonline.com/article/3227906/ransomware/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html. [Accessed 22 May 2018].
[2] C. Mercer, “What is WannaCry? How does WannaCry ransomware work?,” www.techworld.com, 2017 May 2017. [Online]. Available: https://www.techworld.com/security/what-is-wannacry-how-does-wannacry-ransomware-work-3659064/. [Accessed 22 May 2018].
[3] J. Parsons, “What is ‘Wanna Decryptor’? A look at the ransomware that brought down the NHS,” Mirror.co.uk, 17 May 2017. [Online]. Available: https://www.mirror.co.uk/tech/what-wanna-decryptor-look-ransomware-10410236. [Accessed 22 May 2018].
[4] A. Russell, “How the WannaCry ransomware attack spread around the world,” Global News , 15 May 2017. [Online]. Available: https://globalnews.ca/news/3452129/how-the-wannacry-ransomware-attack-spread-around-the-world/. [Accessed 24 May 2018].
[5] R. Langde, “WannaCry Ransomware: A Detailed Analysis of the Attack,” Techspective, 26 September 2017. [Online]. Available: https://techspective.net/2017/09/26/wannacry-ransomware-detailed-analysis-attack/. [Accessed 24 May 2018].
[6] BBC News , “Cyber-attack: Europol says it was unprecedented in scale,” BBC , 13 May 2017. [Online]. Available: https://www.bbc.com/news/world-europe-39907965. [Accessed 25 May 2018].
[7] S. Larson, “New ransomware attack hits Russia and spreads around globe,” CNN , 25 October 2017. [Online]. Available: https://money.cnn.com/2017/10/24/technology/bad-rabbit-ransomware-attack/index.html. [Accessed 25 May 2018].
[8] D. Cameron, “Today’s Massive Ransomware Attack Was Mostly Preventable; Here’s How To Avoid It,” www.gizmodo.com, 13 May 2017. [Online]. Available: Today’s Massive Ransomware Attack Was Mostly Preventable; Here’s How To Avoid It. [Accessed 25 May 2018].
[9] D. Drinkwater, “10 steps for a successful incident response plan,” June 2017. [Online]. Available: https://www.csoonline.com/article/3203705/security/10-steps-for-a-successful-incident-response-plan.html. [Accessed 25 May 2018].
[10] Investopedia, “Business Continuity Planning,” 2018. [Online]. Available: https://www.investopedia.com/terms/b/business-continuity-planning.asp. [Accessed 25 May 2018].
[11] S. Tendulkar, “Lessons Learned From the WannaCry Ransomware Attack and Many Others That Preceded It,” Security Intelligence, 17 May 2017. [Online]. Available: https://securityintelligence.com/lessons-learned-from-the-wannacry-ransomware-attack-and-many-others-that-preceded-it/. [Accessed 24 May 2018].
[12] L. MAGID, “Lessons learned from the WannaCry ransomware attack,” The Mercury News , 18 May 2017. [Online]. Available: https://www.mercurynews.com/2017/05/18/lessons-learned-from-the-wannacry-ransomware-attack/. [Accessed 25 May 2018]