Touted as the largest Ransomware attack in history by the media, WannaCry is certainly on the tips of tongues of corporations and consumers everywhere. Despite its apparent lack of technical sophistication, WannaCry—or Wcrypt—has affected more than 200,000 Windows systems across 150 countries as of this writing. News outlets, thirsty for scoop, have been reporting on WannaCry non-stop since its outbreak late last week, and security experts have been feeding the frenzy, talking about the implications of such an attack and what companies can and should have done to prevent this attack.
In many cases, Ransomware authors target people as vulnerabilities. Phishing emails are an almost sure-fire way to drop malware onto a user’s computer. Attackers don’t even need to know much about his/her victim. All an attacker has to do is send an “urgent” shipping notice, an email with a compelling headline (e.g., “Employee raise schedule attached”), or an invitation to connect on LinkedIn, and chances are some unsuspecting or busy person will fall for the bait. In WannaCry’s case, though, the perpetrators didn’t even need to bother with such “marketing” messages. WannaCry took advantage of a well-known vulnerability (“EternalBlue”) in unpatched Microsoft Windows systems. Following the fallout from the Shadow Brokers dump, security and IT teams had to know this was coming, especially since Microsoft issued a critical patch. So why not do anything about it? Why not patch systems, and, just to be safe, create backups of critical files? This advice is certainly part of every media story, and it’s right in line with every security industry “best practice,” from covering the basics to incident response.
I can’t get to sleep
As with every cyber attack, WannaCry provides ample opportunity for people to point fingers and say, “Shoulda, coulda, woulda.” What would be more helpful, however, is if security teams took this opportunity to explain the importance of some of these security basics—especially in cases where “basic” isn’t so basic—and help their associated organizations create plans and processes around things like patching and backing up critical or sensitive data. To accomplish this, organizations first need an understanding of the potential threat (intent x capability) and then calculate likely impact. Sounds a lot like risk management, doesn’t it?
Enterprise patching sounds simple on paper, but for many organization, such as hospitals which require near constant uptime, and those that have legacy and multi-purpose architecture (hospitals also fit into this category), hitting the “install critical updates” button isn’t easy. But patching!! Yes, it’s true, patched systems could have helped a lot of impacted organizations across the globe avoid becoming a target of WannaCry. National Health Service in the UK, the biggest victim of WannaCry, would not have had to divert patients or cancel surgeries, and other companies would not have had to trigger disaster recovery plans.
I think about the implications
The tragedy of this Ransomware is that companies worldwide were caught unprepared, despite the growing prevalence of the attack type. Given everything we know about Ransomware and its efficacy, building processes to handle such an attack should be elemental to risk management. Risk management, for its part, should be the primary objective of the information security program. What is security’s purpose if not to insulate (to the best extent possible) the organization from cyber impacts? “Training for this impact from a risk perspective,” says Lance James, Chief Scientist at Flashpoint, “no matter how technical an attack, is imperative.”
Training implies advance preparation, which is certainly preferable to scurrying to clean up after the fact, as most companies are doing when hit with WannaCry. But WannaCry isn’t the NHS’s first rodeo, for instance. The UK hospital system has been targeted by Ransomware before, and although the desirability of health and patient data is highly publicized, the healthcare provider did not take appropriate steps to drive down risk. But patching!! Again, yes, but with multi-purpose, legacy systems that need to be continually available, patching isn’t a simple action. When patching truly poses problems, as in many healthcare environments, organizations must develop risk management plans that allow security teams to serve the business and solve the most obvious issues—like patching and maintaining backups. For critical systems and/or data, redundancy is a must. For example, every hospital on the planet has backup generators for electricity failures. Hospitals understand that if electricity is interrupted mid-surgery and the surgical team cannot monitor the patient’s vital signs (the bodily operations, if you will), this could create a life-threatening situation. Thus, every hospital maintains back-up generators.
The risk calculation in this instance is clear, and it is the type of calculation that must start happening more frequently at the security level. None of the media hype, though, touches on risk, and very few security SME interviews address the fact that patching can be complicated and arduous, and in some cases, can cause compliance headaches, or the perception thereof.
Of diving in too deep
Without delving in too deeply, the scale of WannaCry is impressive, which is why it’s headline-worthy. And it’s obviously better clickbait to write, “200,000 systems have been affected” than that the attackers have yielded a mere estimated $55,000-$60,000 worth of Bitcoin from those 200,000 systems. That payout, while not bad for a week’s work for the attackers, is pointedly unimpressive given the scale of this attack. It should also signal to the security community (at least) that organizations overwhelmingly have not had to resort to paying ransom, given that there are, what? A billion Windows systems in operations worldwide. Where are the stories about that? NHS wasn’t one of the success stories, in this case, and hopefully they, along with others who were negatively impacted, have security teams that start working with them to develop risk calculations and better processes for dealing with future attacks. Which will surely happen.