Three things IT managers must do now

Gartner, the world’s leading information technology research and advisory company, has issued what it considers to be three MUST-DO tasks for IT Managers, in the wake of recent ransomware attack.

Malware is continuing to spread, with the recent WannaCry attack impacting more than 10,000 organizations in 150 countries. That’s according to European authorities where the impact seems to have been felt the most.

Gartner reported that while measures have been taken to slow the spread, new variations have already surfaced.

The firm said that RIGHT NOW you must apply the MS17-010 patch. If you do not have it, and you have TCP port 445 open, your system will be hit by ransomware.

It also notes three things that IT managers can do now to guard against future attacks.

Stop blaming

Gartner said that while it’s tempting to point fingers at others, one of the key stages of incident response is to focus on root causes. Hindsight, is said, is always 20/20, and picking apart why systems were not migrated does not dig you and your enterprise out of the mire right now.

“Windows XP, a system which has been hit hard by WannaCry, can be embedded into key systems as part of the control package and the firmware may not be accessible, nor under your control.”

It added that where embedded systems exist (such as POS terminals, medical imaging equipment, telecommunications, and industrial output systems such as smart card personalization and document production), make sure your vendor is able to provide an upgrade path as a critical priority.

“This should apply even if you have other embedded operating systems, such as Linux or other Unix variants, as it is safe to assume that all complex software is vulnerable to malware.”

Isolate vulnerable systems

Jonathan Care, Research Director at Gartner, said: “There will be systems which, although haven’t yet been affected by malware, are still vulnerable. It’s important to realize that vulnerable systems are often the ones on which we rely the most, and so a useful temporary fix is to limit the network connectivity.”

He added that during a crisis of this nature it is better to be cautious, even if business processes are delayed. It is better than total disruption and non-linear data loss.

Stay frosty

Gartner’s adaptive security architecture emphasizes the need for detection. Make sure your malware detection is updated. Make sure your intrusion detection systems are operating and examining traffic. Ensure that UEBA, NTA and SIEM systems are flagging up unusual behavior, and that this is being triaged and incident handlers are responsive. Bear in mind additional resources may be required to handle the volume of incidents.

After the crisis lessons will be learned. There will be time to revisit vulnerability management (and you must). There will be time to look at how you refocus, not just at protective measures, but also in key detection capabilities such as UEBA, NTA, and advanced SIEM.

There will be time to do some additional threat modelling, and consider carefully what risks you can afford to tolerate – it’s less than you think, according to Care.

Cloud security, he said, may come back into the risk management discussion, but right now you must patch, isolate and stay vigilant.