[or what the IT guys decided to tell you]
Dear friends, after a long time, we are back with an article. How else, if not with our opinion on the hottest topic of these days. And we are not just referring to technology. Obviously we will analyze, but in a broader context, what the media has called the global cyber attack. Or, in short, WannaCry. It is the first article in a longer series. We will try to decrypt? as much information as possible to provide a better vision of the current context, but especially the future one. The information will be slightly technical in places, but at the end of the series, we want to increase the general degree of understanding of modern security approaches.
A short clarification from the author (Silviu): I am not an expert or certified in networking or security. In my professional evolution I discovered the beauty of this part of technology quite late, unfortunately. However, for over 3 years, I have been extremely passionate and I have been lucky enough to be able to learn quite a lot. While I am here, I would like to nominate the people who have influenced me, real and virtual, and made me understand information technology from a holistic perspective. In order of the numbers on the shirt: ES, AB and CV. Thank you! We'll be talking more and more about virtual reality and artificial intelligence and how software is changing the world. However, without understanding the entire ecosystem that applications run on, it's difficult to select the right solutions that support the company's vision (I just described a good part of what I do day to day in the office).
For various reasons, some identifiable in the text below, we waited for the shock and horror messages to pass: the global cyber attack, the 7 ways you can protect yourself, which is the most dangerous…, the most affected country…, the biggest threat…, the unprecedented attack…, the real-time map and other headlines like breaking news. Many minutes were also allocated on TV (so I heard). At least they dropped the click here message for I don't know what. Probably the fear of data encryption inhibited the creativity of journalists posts specialists authors?.
We have bad news and I think it's good to say it from the beginning. Vulnerabilities like those used in the WannaCry attack (exploit), the distribution method (worm) or direct monetization (ransomware) are not new. The democratization of malicious code, the scalability brought by the penetration of cloud technologies and the refinement of attack vectors are part of our everyday world. Among other things, we sell, install or operate security solutions. In recent months, since we have been following the page dedicated by Check Point, one of the best security solution manufacturers, to consolidating information on cyber attacks, we have not seen a single day with less than 10 000 000 (ten million attacks). Yesterday there were 11,641,175 attacks discovered. In reality, there were more. Two weeks ago the numbers were about the same. Details below:
Last Saturday, after the media avalanche began, while we were at the office, we were tempted to launch a proactive communication campaign. We were not surprised by the attack. As I wrote last year, the code comes from the arsenal of TAO (details in the next volume). While writing the document we analyzed the “new” vector from a technical perspective and decided to relax. It is an attack based on EternalBlue (details in future articles). Already, on April 21st, tens of thousands of computers were infected. Just a week after the publication of the code by the Shadow Brokers (April 14th). Last Friday was just a refinement.
In a company with a decent approach to security (read that any critical packet must pass through at least two firewalls), the infection mechanism could not get past the perimeter protections (the firewall solution located between the internet and the local network) or the protections located between the protected internal segments (the virtual networks that are analyzed by an internal firewall). IPS (intrusion prevention system) protections, but especially Threat Extraction and Threat Emulation (Sandboxing) protections are effective against this type of attack. If the Check Point SandBlast Zero-Day Protection solution is also used, the threats are greatly reduced, especially in the case of unknown malicious code. 
The real-time dance of I know you know I know you know is how malicious code manifests itself. between the security solution and the attack vector is spectacular through the creativity and intelligence of the teams of programmers involved. Especially when they went to the same school?. Sometimes it's like looking at Mr. Robot directly from the film set. The advantage of having colleagues certified as SandBlast Administrator or Security Expert by Check Point Software Technologies. Or young and restless colleagues (read with a hacker's heart and mind?).
In summary, the decision to remain silent was based on the following elements:
– We have no reason to allow traffic from the internet to an internal network on port 445. In fact, on any port, without a specific reason and without at least an additional layer of protection;
– The Patch Tuesday concept doesn't sound strange to us. Maybe except for February?. The smiley is for connoisseurs. We'll come back with details in the next episodes;
– Many of the managed systems are running Windows 10. Pro or Enterprise. Probably the most secure OS on the market. Until June, if someone doesn't decide to pay the ransom?. Details still to come;
– It is not so easy to reach systems that cannot be updated (long live old enterprise apps) due to the protection offered by the firewall. Also segmented for what is critical;
– Important data and important business processes are protected from at least two angles;
– Many of our clients' workloads run in cloud. SaaS, PaaS, IaaS. Or hybrid. Using the best platforms, we have an extra layer of security. Delivered as a service;
– It's not nice to leave the house, but in IT we have a saying: The biggest security hole is between the chair and the screen? Speaking of ransomware, the percentage of infections generated by user behavior is 94% (see study below). Being the weekend, it was harder with “Click here to …”, and by Sunday evening everyone was a security expert. What doesn't the TV do in humans? As a result, the greatest risk of infection disappeared, users becoming very careful with unexpected messages.
There is and will be only one very complicated scenario: infection by human error (read from the inside) in a large and unsegmented network. Several examples of affected companies have already appeared in the public space. The scenario with a vulnerable system directly exposed to the internet comes straight from silent movies and is it difficult for us to describe it in 2017?.
At the end of the first article we have the following message: no panic, but with an intelligent approach, understanding the entire context. The road to the digital economy also has disadvantages, and if you understand how things work (not only technologically, but also geo-politically to establish the level of expectation for the following articles) you give up expressions such as challenge, threat, loss or impact. From our perspective, both now and in the future: business as usual. Si daca va place viata linistita, pot fi altii nelinistiti pentru voi: Baietii de la IT (avem si fete, e doar o expresie)