Tag Archives: WannaCry

WannaCry, Rumsfeld and Production Firewalls

21 May 2017

Today, Firewalls are the preferred means to separate a production network from a company’s intranet. Firewall configuration is performed by the Rumsfeld Conundrum: Block everything you don’t know!

Rumsfeld Conundrum for firewall configuration

Rumsfeld Conundrum for firewall configuration

For production management and IT and OT operations, we need some communication between systems in the company intranet and the production network. These required (known) connections are defined in the firewall rule base. The firewall allows communication between these known systems, and blocks any other connection attempts.

As long as the SMB V1.0 protocol is not used for communication across the firewall, the Rumsfeld Conundrum works pretty well.

Unfortunately, the SMB protocol is frequently used to implement required connections between Windows-based computers in the company intranet and the production network, e.g. for the exchange of manufacturing orders. With this, production systems become vulnerable to WannaCry although a firewall is in place because the firewall does not block communication across required connections. In the worst case, if WannaCry spreads across required connections to systems in the production network, this may result in loss of production.

Immediate action is required. The firewall rule base is a good starting point to determine how big the problem is, and to identify the systems that must be immediately patched or otherwise secured, if patching is not possible due to technical or regulatory restrictions.

Firewalls are an indispensable part of a defense in depth concept, but plain packet filtering is no effective means against attacks like WannaCry.

Have a good week, and take care of you production networks.

You may Wanna Cry on Monday morning if your Anti-Phishing Training was no success

14 May 2017

In the past days WannaCry was making the headlines. I found a really well written post on Binary Defense which explains the basics of the initial infection as well as the propagation method.

WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside.

Packaged this way anti-malware solutions cannot scan the attachment because they can’t enter the password for opening the attachment, although it is stated in the email body. Even APT (Advanced Persistent Threat) solutions may fail if they are not properly configured.

If your Anti-Phishing Awareness Training was successful, the chance of an infection is small.

In addition, it makes sense to block incoming mails with zip files, which cannot be inspected by the anti-malware solution. Don’t deliver them to the users junk mail folder, block them on the mail gateway.

This gives you the time to implement patch MS17-010, if you have not yet done so. Or isolate the affected systems from the network, if patching is not possible, e.g. in GxP controlled environments.

Take care!