Wannacry – Can We Really Call It a New Thing?

istock_pc_security

 

Plenty out there spoken about Wanna Cry, including on this blog (post and post). At its heart, it’s less ransomware than a worm exploiting a Windows OS vulnerability that looks to the network to infect even more computers. In fact, it was overwhelmingly successful, much more so as a worm than anything remotely as ransomware.

Media has touted this attack as “a massive worldwide cyber attack” causing chaos worldwide. Cue the lonesome pictures of hospitals unable to perform their functions and snapshots of Wannacry ransomware on computers.

Sure enough.

 

Now, take a second and think about why. Push past the angst and frustration and really focus on what allowed this event to happen. Was it really because of a malign group of criminals focused on extorting money? Should that even be considered? It’s nowhere near a new threat – you face it day in and day out regularly. Ransomware? Same answer. Ransomware has been and will continue to be an effective delivry and moneymaking mechanism. Neither the criminals nor the ransomware are the issue. They succeed because their methodology is sound and the probability of success is well in their favor. It only takes a single mindless click to infect a system or even an entire network, whether it occurs by email or as you are browsing the Internet.

Part of this is people. It’s fair to say that negligence by users is definitely a factor. It also happens to be process. Specifically you – as a company or business owner – it happens to be your process. If you don’t specify a set of permissions that limits individuals to responsible guidelines when you hand them or give them access to a computer – that’s a process failure. If you have big flat network with no logical or physical divisions, that’s another. If no security exists between you and others who access your network – your device vendors, service providers and users, etc. – then it’s tough to expect that you have security. If you don’t patch, especially critical updates; or if you delay those patches to meet your “normal” schedule because it’s inconvenient or just difficult to do– it’s a process failure.

Wanncry went from the possibility of being another small release of ransomware that may or may not have made a splash to kicking the global market in a very painful place. It didn’t happen because it was especially well written or cleverly inserted into networks. No, it happened because it leveraged a very well known issue – that had a patch, that was well discussed and talked about, and made available to fix – months after it became known. All of which allowed it to explode across the globe rapidly and inhabit operations.

Consider what that says. Consider why it’s important to realize the underlying facts beneath. We all laugh about patching. It’s painful to do, boring to implement and just time consuming. Not because the patching alone is difficult. Patching has complexities because of the many moving parts that need the patch. Its not the technical issues that really jam up getting machines patched and up to date. It’s the operational and risk issues that are the logjams.

  • If you have a lot of travelers, their machines aren’t updated until you get them back. That could be months or longer after the patch is needed. That’s if you can get the access needed to make it happen. The layman might be surprised on how difficult that can be without a strong process and the political will to enforce it.
  • It’s inconvenient. Operationally, it’s downtime, especially if issues arise from adding the security or patching. Even if it seems like it’s slower or less efficient but truly isn’t, security tends to lose to convenience. All it takes is someone with power over this kind of decision making to not get an email or not gain a level of access that was previously in place for it to get regressed or pushed back.
  • High demand devices are incredibly difficult to patch. This is especially evident in ones with near 100% uptime or load on them and ones involved in delicate or dangerous processes. The medical industry struggles powerfully with this issue. It’s easy to say stand up a backup or duplicate but these devices can be extremely expensive, highly sensitive or attached to something that’s both (like people). Frequently you are stuck between the need to patch or secure the device and allowing it to deliver what it does.
  • Risk management decisions push patching and security down the line frequently. Someone makes a decision that new business is more important than security. Someone decides availability is worth more the security risk. Someone decides the impact to the bottom line is of higher importance. It gets cast a lot of different ways but security is always balanced against the bottom line and convenience.

Plenty more.  I could go on but I’m moving too far away from the point.

The threat presented by Wannacry is not new.

Go back in time to 2001 with me and look at Code Red. It made a big smash too. Since then there have been hundreds of worms that have come and gone. A common theme among them all? All lack of process. Process that defines limits, that defines a schedule of security and updates that puts security as a strong part of your business strategy.

If I had to define a failure point, it’s a strategic one. If you can’t protect what you’ve built then you may find it crumbling around you. Security has to be part of your business strategy. If it’s not important at the top it’s not going to be enforced below. Want to show it’s important? Talk about it. Live under it. If your permissions are such that as the CEO you have unfettered access to your entire environment…is that really showing security? If you don’t know that everyone in your company is by default an admin on the computer you issue them – shouldn’t you find out?

You probably won’t like the answers you find. Frequently security is added into everything as an afterthought instead of as the process. Think about that new business line you are adding in. Does security have a seat at the table? If no, are you really showing support for security and how it important it is?

Talk about it.

 

Image credit: Business Magazine

About the author

Monty St John

Monty is a security professional with more than two decades of experience in threat intelligence, digital forensics, malware analytics, quality services, software engineering, development, IT/informatics, project management and training. He is an ISO 17025 laboratory auditor and assessor, reviewing and auditing 40+ laboratories. Monty is also a game designer and publisher who has authored more than 24 products and 35 editorial works.