The scope and severity of the fallout from the WannaCry attacks over the past week elicits plenty of “we told you so” head shakes about the dangers of ransomware. With a lightning-fast speed, the blackmail worm spread quickly.
On Friday it reached 74 countries and more than 45,000 systems. By Monday, those numbers had ballooned to 150 countries and 200,000 systems, according to Europol.And even when security researchers found a kill-switch for the attack that they used to their advantage, it didn’t take long for new variants to start up again with infections occurring at a rate of 3,600 systems per hour.
It’s a nasty bit of business. And while the hue and cry over ransomware should’t be ignored, there are a lot more valuable lessons beyond those that have to do with cyber blackmail. Here are just a few of them.
Lesson One: Vulnerability and Patch Management Overshadow Everything
Patch, patch, patch, patch. It’s been the overwhelming mantra of security pros for decades, and this attack campaign shows us why. The rapid spread of the worm was made possible by the ubiquity of systems worldwide running on unsupported or unpatched operating systems.
“We’re hopeful that organizations will significantly alter their continuous patch hygiene,” says says Mark McArdle, CTO for eSentire. “Microsoft has even released new emergency patches for Windows XP and 2003, which speaks to the seriousness of the event and the risk of deploying out-of-date operating systems in production environments.”
Lesson 2: Unknown Assets Can Bite You in the Rear
It’s just about impossible to patch systems an organization doesn’t even know exists. The insidious effects of WannaCry offer up a good illustration of how easy it is for attackers to scale atttacks against the forgotten systems that can be lost through inconsistent asset management.
“Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors,” says Steve Ginty, senior product manager at RiskIQ. “For a large enterprise, these types of assets are typically easy for even novice hackers and threat groups to find, and because they’re unmonitored, provide an easy way in and out. To defend yourself, you need to know what attackers see when they’re looking at your business from outside the firewall.”
Lesson 3: Network Segmentation Can Be a Valuable Risk Reducer
Of course, patch management isn’t as simple as just finding every system and waving a magic wand over them. Many organizations struggle to update legacy and embedded systems due to a host of technical problems. It’s why WannaCry found such fertile ground in healthcare organizations, since many medical devices are built on top of old Windows operating systems that are notoriously difficult to update due to government regulations and the organizations’ own concerns about causing system disruptions during updates.
“In many cases, devices will never receive updates either because the OS is no longer supported and memory, storage, and processing constraints may prevent the device from operating effectively with the latest software,” says Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team. “Finally, I suspect that many hospital administrators may not recognize the danger from using outdated software on these devices, and simply avoid patching because the device works. This ‘if it ain’t broke don’t try to fix it’ mentality can be tremendously detrimental to hospital security.”
This scenario is a perfect example of how compensating controls – like network segmentation – should have kicked in for a lot of organizations.
“Of course, today, completely disconnecting a machine from the Internet typically renders it of little use. But network connectivity can be limited as much as possible,” says Brighten Godfrey, co-founder and CTO of Veriflow. “Segmentation requires careful network architecture, especially in a complex environment where configurations of firewalls, routers and other devices are continually changing. Rigorous network verification methods can help ensure that the intended segmentation is continually realized.”
Lesson 4: Security Has Real-World Repercussions
Speaking of healthcare, one of the big-picture lessons that security professionals around the world should be thinking deeply about is the fact that cybersecurity is no longer just a game of protecting data. When attacks happen today, they have real-world repercussions that can affect the safety of people’s life and limb.
“With so many medical devices connected to the internet, it’s not surprising to know that some of these devices were rendered useless by WannaCry,” says Terry Ray, chief product strategist for Imperva.
The attacks against the UK’s National Health Service put hospital operations at a standstill and threatened the health of real people. As much as the security industry talks about its struggle with attackers as a game, using terminology like “whack-a-mole” and “cat-and-mouse” to describe the back-and-forth exchanges, the truth that WannaCry should bring home is that what we’re engaged in is not frivolous or fun. The consequences are real and serious.L
Lesson 5: It’s Easy to Forget the ‘A’ in Security’s ‘CIA’
So many security organizations get hung up on the confidentiality and integrity part of IT risk management that they forget the final leg of that three-legged stool: availability. According to estimates from Cyence researchers, the business interruption costs to companies from WannaCry will add up to over $8 billion.
“Business interruption caused by the WannaCry malware is probably the most substantial and problematic component to this event. Organizations will suffer interruptions to their business, lost income, and extra expenses while the infection is being remediated – and it will take some time to get back to full productivity even after systems are restored,” says George Ng, CTO and Cyence co-founder.
Obviously, these are big-picture lessons. And it will take time to turn these lessons into meaningful action. In the meantime, for those who’ve found they’ve lost access to WindowsXP systems, there’s at least some good news on that front. Security researchers with the French security firm Quarkslab have released a new tool called Wannakey, which can recover the private encryption key for infected WindowsXP systems.
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio