A few weeks ago, the world was introduced to WannaCry, a variant of crypto-locker ransomware designed to exploit a Server Message Block (SMB) vulnerability in Microsoft operating systems known as EternalBlue. Since WannaCry first made the news, it has spread to more than 300,000 targets in more than 150 countries worldwide, making it one of the largest attacks in the history of the Internet. Following WannaCry’s debut, other malware from the same source has been identified by cybersecurity experts, with similar characteristics, but being used to different ends. First came Adylkuzz, exploiting similar vulnerabilities as WannaCry, but instead of encrypting a victim’s data, Adylkuzz siphoned off system resources to search for cyber-monies. Next, an assortment of WannaCry knock-offs entered into circulation, and very recently a mysterious new malware, EternalRocks, has been detected quietly spreading itself, but analysts do not know the endgame for that one yet. In short, this new batch of threats is not over.
What was necessary for all of these new malware threats to spread and flourish? Among the contributing factors were…lack of awareness, procrastination, poor planning, and in some cases, even negligence — it all amounts to the same end result.
The most vulnerable targets of this most-recent rash of threats were older, legacy operating systems no longer being maintained by Microsoft and for which Microsoft did not initially issue a patch. A typical IT department strives to maintain a good security posture by ensuring that operating systems (OS) and layered applications are subject to a strict patch management program in order to keep the operating environment as up-to-date as possible, and thereby defend against emerging threats. However, not all organizations are willing or able to keep current. An enterprise that has not maintained vigilance with respect to patch management and current OS levels is courting disaster. Improper patch management or poor infrastructure maintenance can and does result in an organization being non-compliant with certain regulatory frameworks, resulting in failed audits and potential fines. In the event of a breach, sensitive data could be lost, resulting damages from litigation would likely be much more severe due to failure to meet fiduciary obligations, brand-damage would definitely occur, and there would be significant lost revenue as customers move their business to competitors.
In addition to poor patch management and end-of-life OS, many of the organizations recently affected were likely remiss in their employee security awareness training. WannaCry was initially spread via an attachment on a phishing email. Properly trained employees should have recognized the scam and therefore not clicked on the attachment. This is by no means bullet-proof, but user education is a vital part of information security, and a untrained user population your Achilles Heel.
Finally, failure to employ basic security practices, such as disabling unused services, closing unused ports on the network, and limiting privileged access contributed to the rapid spread of WannaCry. It exploited older file-sharing services to replicate itself to new computers – these services should have been disabled on the target computers, the associated network ports should have been blocked at strategic points across the target organizations’ networks, and the unexpected usage of elevated user privileges should have been limited or at least triggered alerts in a properly hardened infrastructure. These safeguards were likely not present in the affected environments.
At this point, someone will usually note that sometimes key line-of-business applications cannot run on newer operating systems. I would hazard a guess that for years, opportunities to either update or replace the aging applications have come and gone, perhaps deemed “too risky” or “too expensive.” Such positions suggest decision-makers not fully grasping situational awareness. The risks to the very survival of the organization may not be well defined, and therefore priorities not well established. When was that last time your organization conducted a Business Impact Assessment? Do you know what your key lines of business are? Do you have well-tested Disaster Recovery and Business Continuity Plans? How long can key services be offline before the company is at risk of failure? Be honest, now – I bet most of you will not like the answers to most (or all) of these questions. But here’s a key statistic: following a major disaster (an event which results in a severe or total disruption of services), of those companies whose key lines of business are offline for more than a day, 25 percent end up going out of business. Perhaps it is time to reconsider what is “too expensive” or “too risky.”
Bottom line – look for opportunities to be more vigilant. Those not affected by WannaCry, you either got lucky or are doing things right, or maybe a bit of both. To the rest – I encourage you to make the business case to your leadership to get them to endorse necessary changes; update your OS and applications to supported versions, modernize key business applications and implement a solid patch management program, and then measure the operating effectiveness of that program. Institute a regular, recurring employee security awareness program. Take steps to harden your infrastructure. Execute privileged access management and audit trails. Conduct Business Impact Assessments annually or whenever major changes occur. And implement a risk management program so that you can identify your key business risks and plan remediation in order to reduce overall risk to an acceptable level.