MegaSack DRAW - This year's winner is user - rgwb
We will be in touch
I have company that has connections to the NHS and the nuclear industry....I am ever so slightly concerned about the recent ransomware in the news (reputation is a major concern)
I want to ask our IT support consultants (we have a few) what controls measures they have in place but I'd like to be a little bit more specific so should we have issues that result in an insurance claim I can refer back to my questions.
(Essentials what should they be checking/doing)
I'm aware of the other thread but got a little lost trying to pull out the facts (something about a patch ?)
Cheers
Remove all the keyboards/mice and you should be fine....
If you don't know what questions to ask them how are you going to understand the answers?
Just phrase it in normal English like you've done on here. And be prepared to open your wallet. Or maybe you're looking for a blame monkey, just in case?
Do we have proper back ups would be the first one.
I want to ask our IT support consultants (we have a few) what controls measures they have in place
Depends what your contract with them states, they might have recommended that you use a certain antivirus/malware product on all your pc's,disabled USB ports, prevented those PC's from connecting to any non approved network etc, and they might have suggested that you should implement some sort of filtering/gateways etc on all incoming/outgoing internet connections to/from your network etc etc .And that you should have robust backups of everything etc. But to do this sort of thing properly at scale costs serious money, so you may have said dont bother (which is what it sounds like has happened inthe NHS).
In which case they may not have any control measures in place.
Ask them when they last did a complete system rebuild from backups.
Ask the about:
Patching policies for desktop and servers
Back-up policies
Incident response processes
Mail scanning and filtering
Desktop AV and firewalls
User education
Also ask - what else would they recommend and why?
Ensure you haven't got unsupported Windows products (NT / 2000 / 2003 /XP)
Ensure that 139/tcp, 445/tcp and 3389/tcp ports are blocked by firewalls (not exposed to the internet)
Install Microsoft patch MS17-010 (which has been available for a while)
Ensure your backups work.
As an aside, make sure backups are not accessible from user machines except through software. A friend's company had all their key files backed up but an infected machine with full access to the backup share also had their backups encrypted by the malware too.
To add to the above.
Ask them for regular back and restore/dr recovery test reports.
Ask the for a copy of the patch management policy and a monthly report of compliance. If they want you to hold back on patching 'just in case' I'd be questioning their methodology. MS are very good a pulling fast fail patches these days so there's no excuse with modern patch management solutions to run months behind. A well managed and automated test, test, release cycle should ensure you're patched in the same month as release with minimal impact.
It's amazing how many companies don't have agreed maintenance windows. Maintenance doesn't need to mean downtime.
As someone who runs an IT security business that works in the NHS and the private sector (We only have one client affected) the failure of the IT security is simply down to under investment, few run vulnerability scanning, never test their ability to do disaster recovery, don't have incident response plans, patch managment ha!, won't buy ransomware protection like Sophos intercept x, wont ivest in SIEM. Also I don't expect the phone to ring off the hook on Monday morning with clients wanting to invest. We should also remember that this is a breach of the data protection act and the ICO will be involved.
Adding to the above- also ask them if they can do some training on security for your users. Tech fixes are one thing, and all of the above are excellent and necessary, but a little education on what not to do would also be helpful.
I'm talking about the basics like phishing avoidance, that kind of thing. Much derided, but should be part of an overall strategy.
Here's the book you need 🙂
[img] 
[/img]
Re vulnerability scanning - what's the cost of that for a small business? We looked at it for an app and it was quoted as £2k. That turned out to be the cost of the analysis of a £20k pen test we'd also have to pay for....
In my experience ransom ware is very difficult to protect against in most businesses. You can have multi laver anti spam and anti virus but it will still get through in some cases. User training, limiting access to network shares and having solid backups are the main ways to limiting damage. Sophos and Datto both claim to have solutions to prevent infection.
We implemented protection measures but had to roll them back as they prohibited business. Again, in my experience, it is spread via hyperlinks in emails, office docs with macros, java script and zip files. In all cases of infection that I've seen, it's been user initiated.
Ask your IT provider what measures are in place to guard you against ransom ware type infections and what improvements if any can be made. Also, do you have specific insurance against cyber attacks?
Has MS17-010 been patched throughout the estate? What's our patching policy?
Do we have offline backups of all data? Has disaster recovery been tested in the last 12 months? What's the retention policy (Google "grandfather father son")?
Are we still using XP / 2003 (or heaven forbid, older)?
Have you removed execute rights from temp directories or are otherwise preventing users from running any old crap (eg, AppLocker, blocking unsigned code)?
Is desktop AV in place and up to date?
Is perimeter AV (eg, email filtering) in place and up to date?