What should we have learned from WannaCry?

By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal, updated June 17, 2017

It’s hard to overstate the damage that the spread of the WannaCry ransomware attack in May has had across the globe.

The attack hit hospitals, telecoms, transit, universities and utilities across Europe and Asia. The final tally will calculated in more than just ransoms paid, but an immeasurable cost in lost business and remediation, and potentially even human life.

For years, US officials like retired Gen. Michael Hayden, former director of the NSA, have warned of the massive vulnerabilities of our infrastructure to cyberattacks. Although the US was not a major target in this potentially first wave of attacks, those officials have the cold comfort of knowing they were right. We, and the rest of the world, are woefully unprepared to fight against coordinated cyber attacks.

To make matters worse, the NSA developed the tool hackers used to unleash the “WannaCry” ransomware on the world. Code-named “EternalBlue”, the hacking tool the security agency created was used to hack into millions of Windows computers by exploiting a vulnerability in a network protocol. That tool was obtained by a hacking group called Shadow Brokers and released “into the wild” in March 2017.

Still, Microsoft had released a patch to close the vulnerability back in March (MS17-010). Obviously, massive numbers of systems – from servers to desktops – are unpatched and vulnerable.

It's been more than a month since the attack. Have you patched your systems? Or did you just go back to business as usual, thankful that you dodged the bullet. This time? Wake up. There are lessons to be learned – and work to do.

It turns out Apple was right.

In the fall of 2015, Apple and other technology companies were embroiled in a controversy over privacy vs. security. At issue was an encrypted phone used by a “terrorist” that the FBI demanded Apple hack into. When that request failed, a national conversation ensued over suggestions that technology companies build backdoors into all devices so law enforcement and homeland security could adequately “protect us.”

Apple, Google and, yes, Microsoft, demurred because a backdoor would put everybody at risk. And it turns out they are right. Very little, in fact, really nothing is safe and secure. Last week’s hackathon certainly proved that.

Tools we create to defeat security measures whether we’re cop or criminal are inherently unsafe. Even the NSA can’t keep their work product safe.

What’s your excuse for not patching systems?

Let’s see. We’re too busy. Something might break if we do. We haven’t had time to test.

No one ever wants to believe that the answers to big problems can be simple. But sadly, they can be. The fact of the matter is, systems that had installed the critical patch delivered in March did not get hit. Q.E.D.

Of course, there are legitimate reasons why some companies lag behind in patching. Some systems landscapes are so complex that a test bed is required to ensure a critical piece of the operation doesn’t go down when a patch is applied. Not unsurprisingly, those hypercritical systems -- hospitals, utilities, hydroelectric plants, law enforcement agencies, banks and brokerages – are exactly the key targets for this attack and other large, coordinated efforts in the past.

But not all unpatched systems fall into this category. A year after the vast Heartbleed exposure in 2014 that opened a hole in the very system that provided security to nearly every public-facing server in the world, three out of four of the Forbes 2000 companies had still not deployed the patch that had been available for nearly 12 months.

If your business is at this level, then you need a permanent test bed and the staff to regular review, test, evaluate and deploy critical patches. For the rest of us, not patching is a weak excuse. And, this week, a costly one.

It still takes a user.

An unpatched system in and of itself is just a petrie dish. But layer in an authenticated user, who clicks where they shouldn’t and - whamo - you’ve got the technology equivalent of Ebola.

And that’s exactly what happened here. Attackers sent an encrypted zip file, which is harder for intrusion detection systems to scan. And yet, over and over, the file was opened, spreading throughout attached devices and computers on the user’s network.

When I talk about cybercrime and security, I often hear: “Everyone knows that.” Clearly, everyone doesn’t. And that’s a pretty expensive sandbox to bury your head in. The ransom demanded for each hack so far totals over $30 million.

----

Have you been hit by ransomware? We want to talk to you. Share your experiences with other businesses who need to know this is a threat is not happening “to someone else.” Email laura@portfoliosc.com


More on Ransomware