The May 12th WannaCry ransomware attack proves the importance of:
a) applying Microsoft Critical Security updates quickly
b) not having deprecated and unsupported OSes
c) the importance to have a good backup and DR plan in place for any Mission Critical systems.
Here are the Microsoft Security Update considerations:
1. Do not assume MS WSUS, Microsoft automatic updates, or a third party patching tool never encounter an error. The most common are powered off devices, devices that have been off the network a long time or are on the network too brief for an update, or devices that encounter a patch requirement for a variety of reasons.
2. You must check your patching product for errors and resolve those errors.
3. Maintain a list of errors/exclusions you patch manually and see if there is a pattern.
Off-network deprecated and unsupported OSes used still need attention:
1. Every aspect of TAMU and AgriLIfe IT Security recommend you update older OSes even on non-networked XPs.
2. If an unsupported OS such as XP must be utilized as a directly attached system controller and/or data acquisition device then you should password-protect the BIOS and disable the NIC(s) and any external connection not in use (WiFi, Bluetooth – force these devices to not NOT use Bluetooth keyboards or mice, unused USB ports). In this manner an XP cannot –even for a short time – be an attack vector by mistake.
Finally, a DR plan is only as good as the testing of it. I have never tested a DR plan and not encountered something unexpected. A backup is only as good as the regular monitoring and at least annual testing of a restoration and reliable current backups are a better friend than bitcoin in a successful ransomware attack.
MICROSOFT MAY SECURITY UPDATES
Please validate the March 2017 Microsoft Security Update MS-17-010 that was emphasized in the March edition of this blog is applied to all Windows OS versions.
For May, Adobe also released patches but no new ones on the “All Platforms”.
I will point out MS published a WINDOWS Defender/Malware Engine “Advisory” on May 8th and then an out-of-band fix by midnight for Remote Code Execution. Hopefully everyone is running SOPHOS! If running a MS security product using the MS malware engine see this: https://technet.microsoft.com/en-us/library/security/4022344
For the May MICROSOFT Security update those still not using an auto-patching tool I point you to the AgriLife Security blog from April 2017 if you are still having trouble navigating the new Microsoft Security Tech Center approach.
MICROSOFT May 2017 Patch Summary
• Windows 7: 26 vulnerabilities of which 4 are rated critical, and 22 important
• Windows 8.1: 22 vulnerabilities of which 4 are rated critical, and the remaining 18 important
• Windows RT 8.1: 20 vulnerabilities of which 4 are rated critical, and 16 important
• Windows 10 version 1703: 22 vulnerabilities of which four are rated critical, and 16 important.
Windows Server products:
• Windows Server 2008: 27 vulnerabilities, of which 4 are rated critical, and 23 important
• Windows Server 2008 R2: 27 vulnerabilities, of which 4 are rated critical, and 23 important
• Windows Server 2012 and 2012 R2: 24 vulnerabilities, of which 4 are rated critical and 20 important
• Windows Server 2016: 23 vulnerabilities of which 4 are rated critical, and 19 important
Other Microsoft Products
• Internet Explorer 11: 10 vulnerabilities, 2 critical, 6 important, 2 moderate
• Microsoft Edge: 28 vulnerabilities, 16 critical, the rest important
• Microsoft Office: varies depending on version.
Security recommends applying all Critical and Important fixes.
A minority of AgriLIfe areas run SAMBA and if you have eliminated MS SMB V1 (CIFS) as recommended then you should have no concerns with WannaCry here. SAMBA is currently distributing 4.6.3 and really it defaulted to newer versions of SMB after the 3.6 release many years ago.
However, when it comes to ransomware sysadmins often forget that a Windows user with a share could encrypt files on a LINUX /home directory. Depending on the distro of Linux it could be a new version but very confusing to users. Multiple researchers have proven this.
Once more backups are always important … as is SAMBA maintenance. Below is the link to SAMBA’s Security Updates.