You may have heard about the recent WannaCry cyberattack that infected hundreds of thousands of computers worldwide. The ransomware holds a computer hostage until the user pays some amount of money (ransom) to the hacker or until a patch is made and installed. Why did it spread so quickly and how can you prepare for the next one, especially if you are a DBA? It’s not a matter of if, it’s a matter of when.
Why were the attacks so effective?
When this particular ransomware emerged on May 12th 2017, it had used an exploit on Windows systems that had been addressed by a critical patch two months earlier in March 2017. So, if end users kept up to date with receiving the latest critical security patches as they became available, they would have avoided being infected.
Unfortunately, many businesses were not adequately prepared for an attack like this because maintain updates and they did not have the right security processes in place. It’s critical that companies are proactive in the measures they take to mitigate the risks involved with today’s cyber threats or they will become vulnerable. Lack of preparedness is one of the biggest factors why this cyber attack was so effective.
How will this impact a company’s network?
The biggest threat, naturally, is data loss. That alone is a scary thought. We live in a data-driven world. While data loss can be a disaster to your business, other threats may occur when malware is present on any network. It can cause performance issues on every system or device attached to the infected network, including but not limited to system lockups, slow data transfers, or permanently corrupted system files leaving systems inaccessible.
What preventative measures should DBA’s take to protect the databases?
Implementing a process to prevent these type of attacks is ideal for managing your business and minimizing risks. While being prepared may add additional costs to your bottom line it will be much less expensive than having to deal with the aftermath of a major cyber attack on your network system. Not only will emergency changes be more costly but they will also put you at risk. Since you will be in crunch time, you won’t be able to do full testing, which puts you at a higher risk of something going wrong.
As SQL Server, Oracle, Sybase and MongoDB database professionals, we have come up with a list of things you need to be doing with your databases to prepare for attacks like this in the future.
- Schedule Regular Updates and Maintenance – It’s vital that your System Administrator and Database Administrator are regularly updating your systems. Don’t be caught off-guard. Make sure to do regularly scheduled maintenance and updates (at least once a month). All systems and devices that are part of a network infrastructure (routers, firewalls, switches, servers, workstations, etc.) should be maintained with the latest security patches provided by the vendor. These should be configured to install all critical updates as they become available automatically. Not all updates should be done automatically so be sure to have a plan of attack in place for your scheduled maintenance.
- Plan Down Times – Make sure to set times when your systems will be down for maintenance and updates.
- Rollout Updates in Stages – This will give your team the opportunity to identify any issues before rolling the updates out to other areas. You will have more opportunity to keep the risks to a minimum when you rollout updates in stages to the different departments.
- Backup Your Data on Removable Media Devices – It should be a given that you back up your data. However, it’s not just about backing up your data. It’s about backing up your data on some type of removable media (i.e. old fashioned tape, a rotational media device, etc.) and then rotate it on a regular basis. If your backup is on the same network and you are subject to a cyber attack, then it’s very likely that your backup gets corrupted too. If you do not have the ability to use removable media in your daily backup routine, encrypting your backups would be an alternative.
- Encrypt Your Data – Ransomware encrypts your data. So, it’s important that you put a layer of encryption over your databases to help keep your data safe from these types of attacks. Encrypting your data, in general, is a very good idea to prevent unauthorized access to your sensitive data.
- Install Anti-Virus and Anti-Malware Solutions – Encrypting your data will only protect your data from someone stealing it; however, it won’t protect it if they get through the back door with a virus such as a Trojan. So, make sure you have multiple layers of protection on your data. Make sure your organization has a policy and software in place to protect all systems.
- Perform Security Audits – Your System Administrator and Database Administrator need to perform audits, so they know who has access to what. Set up users with limited access to data but no access to the server to prevent unwanted cyberattacks. Also, keep admin rights for users to a minimum to lower your risk. Another thing to consider is to avoid having network shares that are read and write to all users because this is how a virus can quickly spread throughout your company – keep access to read only.
What should a company do if an attack happens?
First things first, if there is a suspected malware threat found on your network, especially in the case of ransomware, you should immediately disconnect all network connections (wired and wireless) to prevent spreading the malware to other devices attached to the same network segments. I would also recommend disconnecting any attached USB devices.
When it comes to actually paying a ransom, it is advisable to avoid paying the ransoms as there is no guarantee that your data will be recovered. However, if you have no other alternative to recovering your valuable data, this is a risk you may be willing to take. There have been confirmed reports in the industry where data was recovered after a ransom had been paid. But if you have the ability to completely remove the malware threat and recover your data that had been compromised, it would be a safer bet to choose this route.
Finally, do not panic as there may be a solution or patch already out there to help you clean up and prevent the same attack from occurring again. And sometimes there are even solutions already out there to get your files recovered safely without the need for recovering from backup. If your company is concerned that your data is at risk, contact Dobler Consulting and ask about our Remote Database Services.