Get My Score

Don’t Wanna Cry? Cavirin to the Rescue!

By now, anyone with any connection to security is aware of the WannaCry ransomware attack, and it says something, that on the Wiki entry, it is already listed amongst major incidents with Anthem, Sony Pictures, and the US Election.   As a quick review, the attack, leveraging the leaked NSA tool EternalBlue, took advantage of vulnerabilities in Microsoft’s SMB implementation.   The company issued a critical security bulletin, MS17-010 (CVE-2017-0144) on March 14, 2017, along with a patch for new versions of the OS.  Note that this was a 1-day exploit, and not a zero-day exploit since it was announced and patched.   But the issue is that older versions of the OS were still vulnerable, not every organization is on top of patches, and in some countries, the high percentage of bootleg software effectively disconnected the user from patching.  Nonetheless, Cavirin can play an integral role in helping to identify and remediate these types of vulnerabilities.

First off, Cavirin’s partner SecPod included the notification in its March 16, 2017 SCAP Feed Release.  This was two days after the Microsoft announcement.  This is automatically included in Cavirin’s Patches & Vulnerabilities policy pack, which continually updates the live deployment.   Based on this notification, the customer may quickly scan their environment and identify vulnerable resources.   They may then manually patch their workloads, or may have in place an automated mechanism (i.e., Chef, Ansible) to pull down the Microsoft patch and update their systems.

Another, parallel approach, is to close off any attack vectors at the network layer.  Cavirin’s Network Security Policy Pack implements over 6200 rules to protect services running under a broad range of ports.  It continually monitors the resources that have open communication ports for east-west traffic (such as MongoDB or SQL server), and checks for services that have accidentally or maliciously opened north-south ports to the outside world.  An example would be SMB (TCP NetBIOS) ports 139 and 445 which should be closed to incoming traffic from the Internet.  It will quickly identify these rogue ports, and immediately notify IT that there is a risk, and if desired, scripts may be set for automatic remediation given the speed at which an attack may occur vs user response time.

Note that the two approaches are very complementary to those offered by legacy vulnerability management vendors, and in a world where hacker tools cost less than a good dinner, one cannot have too many layers of security.


© 2018 Cavirin Systems, Inc. All rights reserved.