Attacks/Breaches
5/18/2017
07:15 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

5 Security Lessons WannaCry Taught Us the Hard Way

There is a lot more our industry should be doing to protect its systems and data from cyber blackmail.

The scope and severity of the fallout from the WannaCry attacks over the past week elicits plenty of "we told you so" head shakes about the dangers of ransomware. With a lightning-fast speed, the blackmail worm spread quickly.

On Friday it reached 74 countries and more than 45,000 systems. By Monday, those numbers had ballooned to 150 countries and 200,000 systems, according to Europol.And even when security researchers found a kill-switch for the attack that they used to their advantage, it didn't take long for new variants to start up again with infections occurring at a rate of 3,600  systems per hour.

It's a nasty bit of business. And while the hue and cry over ransomware should't be ignored, there are a lot more valuable lessons beyond those that have to do with cyber blackmail. Here are just a few of them.

Lesson 1: Vulnerability and Patch Management Overshadow Everything
Patch, patch, patch, patch. It's been the overwhelming mantra of security pros for decades, and this attack campaign shows us why. The rapid spread of the worm was made possible by the ubiquity of systems worldwide running on unsupported or unpatched operating systems.

"We’re hopeful that organizations will significantly alter their continuous patch hygiene," says says Mark McArdle, CTO for eSentire. "Microsoft has even released new emergency patches for Windows XP and 2003, which speaks to the seriousness of the event and the risk of deploying out-of-date operating systems in production environments."

Lesson 2: Unknown Assets Can Bite You in the Rear
It's just about impossible to patch systems an organization doesn't even know exists. The insidious effects of WannaCry offer up a good illustration of how easy it is for attackers to scale atttacks against the forgotten systems that can be lost through inconsistent asset management. 

"Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors," says Steve Ginty, senior product manager at RiskIQ. "For a large enterprise, these types of assets are typically easy for even novice hackers and threat groups to find, and because they’re unmonitored, provide an easy way in and out. To defend yourself, you need to know what attackers see when they’re looking at your business from outside the firewall."

Lesson 3: Network Segmentation Can Be a Valuable Risk Reducer
Of course, patch management isn't as simple as just finding every system and waving a magic wand over them. Many organizations struggle to update legacy and embedded systems due to a host of technical problems. It's why WannaCry found such fertile ground in healthcare organizations, since many medical devices are built on top of old Windows operating systems that are notoriously difficult to update due to government regulations and the organizations' own concerns about causing system disruptions during updates.

"In many cases, devices will never receive updates either because the OS is no longer supported and memory, storage, and processing constraints may prevent the device from operating effectively with the latest software," says Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team. "Finally, I suspect that many hospital administrators may not recognize the danger from using outdated software on these devices, and simply avoid patching because the device works. This 'if it ain’t broke don’t try to fix it' mentality can be tremendously detrimental to hospital security."

This scenario is a perfect example of how compensating controls - like network segmentation - should have kicked in for a lot of organizations. 

"Of course, today, completely disconnecting a machine from the Internet typically renders it of little use. But network connectivity can be limited as much as possible," says Brighten Godfrey, co-founder and CTO of Veriflow. "Segmentation requires careful network architecture, especially in a complex environment where configurations of firewalls, routers and other devices are continually changing. Rigorous network verification methods can help ensure that the intended segmentation is continually realized."   

Lesson 4: Security Has Real-World Repercussions
Speaking of healthcare, one of the big-picture lessons that security professionals around the world should be thinking deeply about is the fact that cybersecurity is no longer just a game of protecting data. When attacks happen today, they have real-world repercussions that can affect the safety of people's life and limb.

"With so many medical devices connected to the internet, it’s not surprising to know that some of these devices were rendered useless by WannaCry," says Terry Ray, chief product strategist for Imperva.

The attacks against the UK's National Health Service put hospital operations at a standstill and threatened the health of real people. As much as the security industry talks about its struggle with attackers as a game, using terminology like "whack-a-mole" and "cat-and-mouse" to describe the back-and-forth exchanges, the truth that WannaCry should bring home is that what we're engaged in is not frivolous or fun. The consequences are real and serious.L  

Lesson 5: It's Easy to Forget the 'A' in Security's 'CIA'
So many security organizations get hung up on the confidentiality and integrity part of IT risk management that they forget the final leg of that three-legged stool: availability. According to estimates from Cyence researchers, the business interruption costs to companies from WannaCry will add up to over $8 billion.

"Business interruption caused by the WannaCry malware is probably the most substantial and problematic component to this event. Organizations will suffer interruptions to their business, lost income, and extra expenses while the infection is being remediated – and it will take some time to get back to full productivity even after systems are restored," says George Ng, CTO and Cyence co-founder. 

Obviously, these are big-picture lessons. And it will take time to turn these lessons into meaningful action. In the meantime, for those who've found they've lost access to WindowsXP systems, there's at least some good news on that front. Security researchers with the French security firm Quarkslab have released a new tool called Wannakey, which can recover the private encryption key for infected WindowsXP systems.  

Related Content:


 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Innerct
50%
50%
Innerct,
User Rank: Apprentice
5/25/2017 | 3:54:15 PM
Pending Review
This comment is waiting for review by our moderators.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/24/2017 | 11:09:28 PM
Re: First Lesson
FWIW, I don't know what the data for this past year is, but I remember a 2015 report that found that the three OSes that had the most reported vulnerabilities discovered in the past year were OSx, iOS, and the Linux kernel.  Ubuntu was a distant fourth.  Windows was 5th.

FWIW, here's the a relevant writeup at Dark Reading's sister site, InformationWeek: informationweek.com/ios-security-reports-say-no-iphone-is-safe/a/d-id/1319750

This is not to defend Microsoft, which certainly has its share of shortcomings.  But when it enterprise patch management, I'm not sure I'd place all the blame in Redmond.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/24/2017 | 11:00:02 PM
Re: Lessons???
@mark: Realistically, automatic updates are not an uption for large enterprise organizations; they have to test updates and patches before implementing them to make sure that everything plays nice together.

A major telco got in big trouble here a couple years ago when it implemented a patch -- without prior testing; it wound up knocking out their consumer accounts receivable systems for a few days, to the chagrin of many customers.
markgamacheNerd
50%
50%
markgamacheNerd,
User Rank: Apprentice
5/24/2017 | 12:15:55 PM
Lessons???
The only lesson that matters is, if any of these are lessons, there is a HUGE issue. This is not 2001, IT teams should be well versed in all of these.  Those that aren't should be ashamed! 

For the average user, turing off automaticic updates is its own reward.  This entire issue is self inflicted. 
Catherine Hudson
50%
50%
Catherine Hudson,
User Rank: Apprentice
5/23/2017 | 4:47:24 AM
Lesson #2
Thank you for highlighting the importance of software asset management. SAM tools, such as Binadox, should not be ignored. It is the software asset management tools that reveal threats immediately upon software installation or subscription to a SaaS application.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/22/2017 | 8:16:28 PM
#1
Of course, lesson #1 is generally the lesson from ANY headline-grabbing breach or security issue -- and most hacks, period.  Usually, Adobe is the culprit, but it's often other software too.  Patch management is, arguably, the number one way companies are failing in the InfoSec department.
kjh..2
0%
100%
kjh..2,
User Rank: Apprentice
5/19/2017 | 9:21:44 AM
First Lesson
The First Lesson should have been to start migrating away from Windows OS wherever possible, especially for unsophisticated users.
LindsayCybSafe
0%
100%
LindsayCybSafe,
User Rank: Apprentice
5/19/2017 | 7:15:58 AM
Fallout is key
Thanks Ericka for this! The actions taken after a breach are never as simple as expected. The days of expecting a sequence as simple as breach = disclose = patch = apologise are gone. It's wheels within wheels - how do you drill down to the entry point? How are employees expected to know what infection looks like after the network is disconnected? Security by design needs to replace fallout processes in 2017. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.