Time for a network health check: how misconfigurations let ransomware in

2016 saw ransomware reach near epidemic proportions – and in some style. With attacks typically starting with a well-crafted phishing email containing malicious downloaders, organizations struggled to defend their networks against this threat leading to many high-profile attacks that resulted in businesses either paying the ransom or losing valuable data.

As we have previously blogged there are a range of measures that organizations can take to protect themselves against ransomware. However, these are only effective if organizations are getting their security basics right. They can be undone if, for example, a firewall is misconfigured – as an hospital in the UK recently discovered!

Last October Northern Lincolnshire and Goole NHS Foundation Trust, a hospital in the UK, fell victim to a ransomware attack involving the Globe2 variant. Fortunately, IT staff were able to rapidly identify and respond to the attack. They switched off all potentially encrypted servers, isolated the points of infection and performed various cleansing procedures before turning the servers back on. Working in conjunction with cybersecurity consultants, they were able to confirm that there was ‘no evidence that any data [had] been viewed, stolen or removed’.

Of course, that’s not to say that the ransomware attack had no impact on the trust – the hospital still had to cancel over 2,800 patient appointments. This isn’t the kind of disruption that any organization can withstand on a regular basis – let alone those whose day-to-day operations are quite literally a matter of life and death.

Being held to ransom by a misconfiguration

In the aftermath of the attack the hospital conducted a full forensic investigation into the attack, and, in a report published last week, consultants revealed the source of the original vulnerability:  not malicious or out-of-date code, or careful social engineering on the part of cybercriminals but the misconfiguration of a firewall.

A simple misconfiguration leading to so much organizational damage may seem surprising to some but it is an issue my colleague Joe DiPietro has previously blogged about – that a misplaced ‘n’ can genuinely be one of the biggest security threats facing your business. Typing in ‘neq’ instead of ‘eq’, for example, could mean allowing network traffic access to every service apart from the single one it actually needs.

Misconfigurations can also occur because of incomplete processes. Firewalls are often originally set up with broad any source/any destination rules, which are gradually tightened as IT teams work through the configuration process based on business and security needs. However, it’s all too easy for these processes to be left unfinished, because of time constraints or simply because other issues take over, or the connectivity needs change over time. The result is a perpetually exposed network.

Don’t be a hostage to mis-fortune

The answer is automation of security policy management, which slashes the risk of accidental errors and incomplete processes. Every time a new firewall rule needs to be added to the network, or an existing rule needs to be altered, automation tools will assess whether the change introduces new risks or is overly permissive.  This eliminates guesswork and human error, and self-documents the entire change process to provide a clear audit trail, accountability, and compliance.

So head over to Joe’s blog to familiarize yourself with the six stages of the network security policy change management process, and how it can be automated at each stage. Better still, you can catch Joe in person next week at RSA. Make sure to visit him at AlgoSec’s booth, 1133 and talk with him about how you can use automation to dramatically reduce your risk of falling victim to an attack – or an unexpected outage.