Unless you’ve been living under a rock, you’ve heard about the WannaCry Ransomware attack. The sheer scale—though not the largest cyber attack on record, to date—has the security industry scrambling to close open vulnerabilities and analyzing how this new Ransomware was allowed to propagate so effectively across so many organizations. As with any type of incident, WannaCry also offers an opportunity for experts to talk about what could have prevented the attack in the first place, what measures should have been taken, and why the industry must be more vigilant moving forward.
Unlike the majority of Ransomware, which starts with a simple phishing attack, WannaCry took advantage of a known vulnerability in Windows operating systems, but one that could have been fixed with a recently issued patch; after the Shadow Brokers dump of NSA tools and exploits, Microsoft took action and released the update on March 14, 2017. Installing MS17-010 was the best way to prevent this attack.
Additionally, offered security experts in myriad interviews, creating regular backups of data ensures that if your organization is hit with Ransomware (or any other disaster, for that matter), it can continue to operate with minimal disruption. Of course, you’ll have to worry about your data getting dumped on the dark web if the malware authors get angry when you don’t pay for the return of your data, but that’s secondary to “business as usual.”
Unpatched OS’s and lack of backups weren’t the only aggravating factors, however. Running Server Message Block (SMB) version 1 is negligent under the best of circumstances, and turning it off doesn’t require interrupting operations. It is also reported that some of the infected systems were openly connected to the internet, allowing easy access for remote code execution even for a low-skills attacker. It shouldn’t take an attack of this scale to spur security teams into taking these types of basic precautions. Yet it does, time and time again.
Amidst the frenzy, security vendors were eager to chime in with evidence of how their products can prevent or detect future Ransomware attacks, and it’s likely they will fare well in the coming months. News of WannaCry wasn’t limited to security circles, and thus executives and boards of directors will be convinced to spend money to avoid becoming the next National Health Service or FedEx. An ounce of prevention, and all. Security practitioners are hungry for tools and technologies that keep their organizations safe from attack, and vendors smartly jump in to fill that need. The market demands better, faster, more robust tools; product companies deliver.
This, says one security expert, is the biggest issue in security today. Speaking under a condition of anonymity, this practitioner, who has worked for both security vendors and on the defender side, currently at a Fortune 50 company, exerts that organizations’ overreliance on tools and services is the real story with WannaCry. Accountability and visibility of the organization’s infrastructure lies in the hands of security and operations teams working for that organization, he wrote in an email exchange, not to the product makers or organizations providing security services. He continued, “We've observed [IT and security teams] deferring (deflecting almost) responsibilities to vendors and suppliers in the form of ‘we can't patch because of VendorX says so,’ or ‘VendorY is managing my network and I don't have access to my firewall configuration.’ It's almost at a point where organizations practice security through purchasing products and services to fill in an imaginary checklist of tasks, trusting that these would provide everything needed to run their business.”
Because outsourcing security functions has become commonplace, it’s almost as if organizations feel they can outsource responsibility for internal security incidents as well. Partnering with an MSSP, utilizing cloud storage, or buying the latest next-gen firewall, though, doesn’t mean the company, and more pointedly, the security organization within that company, abdicates custody over the cybersecurity of the company’s infrastructure, data, and people. Vendor products are no panacea—there is no magic bullet—and no engineering or development team from security vendor companies would ever claim that to be the truth. An organization can have the healthiest security budget and most skilled staff in the world, but if that organization is not regularly inventorying assets, testing for vulnerabilities, fixing those vulnerabilities (including patching), configuring purchased tools for the environment, and developing continuous risk assessments, that organization is failing. Says the security SME, “There is no excuse for any kind of organization that employs technology as part of its infrastructure to skimp on information security,” adding that it is, once again, security basics where the industry is falling short. Regardless of which tools and technologies are in place to assist with monitoring, alerting, sandboxing, etc. the internal security team has ultimate authority—and responsibility—to ensure those tools and technologies are up-to-date, working properly, and are fine-tuned for the specific needs of the organization. This requires not only doing the “dirty work,” but having a clear and demonstrable understanding of the organization’s priorities, assets, capabilities, and shortcomings, which all equal risk.
When it comes to buying into vendors’ marketing claims, security practitioners need improved due diligence. “Where is the questioning and validating during the procurement process,” asks Michael Santarcangelo, CEO of Security Catalyst, and our anonymous expert agrees. Using an age-old technique of “5 Whys,” says Santarcangelo, helps organizations unearth root causes instead of focusing on symptoms (like the breach itself). When it comes to purchasing security tools, this technique can be very helpful, as it shifts the focus away from statements like, “This will help you prevent malware,” and onto how the tool works, and can be configured, in a flexible, ever-changing production environment.
Don’t let the questions stop after the P.O. is signed, though. Security teams can’t buy a box, plug it in, and feel secure. Similarly, an organization can’t contract with an MSSP and expect that everything will be a-OK for eternity. As the threat landscape evolves, so too should security’s oversight and management of everything implemented—be they people, processes, or tools. Cybersecurity isn’t static, yet organizations are caught off-guard when they’re hit with a malware infection or data breach, and the finger pointing ensues.
If security teams don’t start internalizing this responsibility and attending to the basics, we will see more WannaCry-esque attacks globally. Many companies were “at fault” for the latest outbreak. Rather than blaming outside influences (i.e., Microsoft for creating vulnerable software or not issuing a patch sooner; the NSA for hoarding exploits and storing them insecurely; Shadow Brokers for exposing vulnerabilities likely to be exploited in the wild; the challenge of patching in a large, multifaceted operation), companies that fail to map their risk exposure need to assume responsibility. When your data is taken hostage or leaked onto the dark web, you can’t call your IDS/IPS vendor and cry, “You said I wouldn’t have a breach!” If you can’t prove to your cyber insurance provider that you did not take appropriate measures to protect the organization’s data, the payout won’t be grand.
In short, accountability and visibility of the infrastructure and underlying elements of large IT organizations needs to improve. Security won’t ever be able to stop all incidents, but the most preventable, like WannaCry, are within our control.