As the world recovers from what has been widely reported as the world’s most serious cyberattack, there are many questions being asked about WannaCry. Boards of directors, executive and risk committees, CISOs and CIOs are looking for answers and learnings from the event.
There are so many unanswered questions with WannaCry that something seems amiss. When CISOs or CIOs address their risk committees or boards, even at this late stage they can’t answer the simple question, “How did the malware get into these organizations.” Some say it was email, either malicious attachments or phishing links that users clicked. Others are certain it was SMB ports open to the internet. What is clear? Nothing, except widespread disruption.
It’s normal for technical analysis to be very comprehensive and definitive at this stage but while there are still unanswered questions, let’s have a look at what we do know and what lessons we can learn from it.
What we know
Firstly, routine ransomware caused the damage. Files on users’ PCs get encrypted by malware, and a financial payment (the ransom) is demanded in return for the decryption key. Crypto ransomware has been around since 1989 when the AIDS trojan was distributed on floppy disk.
Second, the distribution of WannaCry was caused by an Internet worm, whereby infected computers searched for other computers they could infect, and the malware propagated from server to server, inside and outside the firewall. Anyone who remembers Conflicker, Code Red or even Slammer will know that internet worms come along every few years.
Finally, a vulnerability in the Windows operating system made the distribution possible. All operating systems have bugs, some more serious when exploited than others. But this is nothing new.
The lethal cocktail
What is new in this case is the aggregation of the three elements I describe above. Incident response workers have been working hard to ensure all patching is in place to reduce the attack surface since news broke.
Organizations across multiple industries, including healthcare, automobile manufacturing, public transport, education and transportation, were severely impacted by WannaCry. In the United Kingdom alone, dozens of hospitals were closed as a result and had to turn away patients. At least one car manufacturing plant was shut down due to the ransomware worm.
So what can you learn from the WannaCry outbreak to help strengthen cybersecurity in your organization?
1. Cybersecurity is firmly a business issue
Shutting down hospitals and closing manufacturing plants has consequences that go far beyond IT or information security departments. These actions impact the organizations’ true operations. And we’ve been here before. Remember when a UK-based telco company suffered a SQL injection attack, resulting in millions of dollars in losses as a result? And more recently, when the Yahoo trade deal was discounted by multiple millions of dollars following the disclosure of a security breach? WannaCry has forced the issue beyond the IT department and into the operational floor. Every organization will benefit greatly by keeping the conversation alive with operational leadership, even to the point of placing responsibility for ensuring operational teams are aware of and formally accept the risks of running unsupported operating systems. IT can no longer be responsible for all aspects of security.
2. Boring, mundane activities matter
For the longest time, patching and system updates have been the responsibility of the IT department. While this isn’t wrong, what needs to be valued more is the level of compliance in this regard, whether the task is done by your internal IT department or cloud or managed service provider. This is one of the most important tasks in keeping a solid line of defence. We need to value high levels of compliance more than we might have heretofore.
3. Time matters
Across many organizations you hear of heroic stories, regarding the amount of time spent patching all Windows systems. However, the speed of patching or bringing systems into compliance is a key factor in responding to such an attack. You have to make solid investments in automation and ensuring your systems are standardized in terms of reporting compliance with regard to patch levels. One thing is for sure—you’ll need to urgently patch systems again in the future, and having the confidence to do so quickly will make any CISO or CIO sleep better. Remember WannaCry is not some zero-day attack that no one could have foreseen. It was a known vulnerability with a patch available (at least for in-support operating systems) for at least 30 days. Companies that scrambled to patch in-support operating systems need to understand why this patch wasn’t rolled out after two months.
4. You must pay for security, so why not do it on your terms
All the patching demanded by WannaCry is being paid for—whether it’s in overtime bills or in lost opportunity costs due to other work being deferred. There is no shortage of budget once the operational risk is known, but wouldn’t it be a lot better to spend based on a controllable investment plan rather than a reaction to an unplanned event? Surely operational departments will see the logic to this argument, and I would encourage you to rally up support from the operational teams for those downtime windows for patching, and other maintenance tasks, so these can be undertaken in a planned and controllable manner.
5. The game has changed.
We are in new territory when it comes to protecting our networks. WannaCry presented several features that would be useful for an attacker seeking to cause mass disruption. When we now talk about controlling networks, we need to include what control we have to respond to such an event. We have to accept these events will occur from time to time, and be ready and clear on what steps to take and actions to prioritize. Developing strong playbooks and rehearsing scenarios, either as a desktop walk-through or actual simulations, will help in responding to the changed environment.
Events like WannaCry will occur again, and it’s best to seize this as an opportunity to ensure operational departments shoulder some of the responsibility or at least support CISOs and CIOs in protecting their organizations’ networks and critical assets.
Learn more: Cybersecurity Threats: Ransomware