Ransom ware is the monetization of an organization’s failure to do the fundamentals of cyber security well. As most ransom ware targets a handful of well-known vulnerabilities, keeping systems patched and up to date goes a long way towards preventing a ransom ware attack.
WannaCry and the vulnerability it targeted has dominated the global news all week, including technical details, prevention advice, attribution speculation and even personal details of the researcher who discovered the kill switch that stopped the aggressive ransom ware. With the panic around WannaCry slowing and a clearer picture of what happened emerging, now is a good time to take stock of its global impact and see what can be done to prevent future attacks.
Ransom ware attack methodologies Ransom ware is the monetization of an organization’s failure to do the fundamentals of cyber security well. As most ransom ware targets a handful of well-known vulnerabilities, keeping systems patched and up to date goes a long way towards preventing a ransom ware attack. Since the re-emergence of ransom ware over the last few years, the predictable attack method is typically one of two possibilities:
1. An email enticing users to either download a file or, more effectively, visit a website that hosts an exploit kit to take advantage of an existing browser-based vulnerability on the target’s computer.
2. The cyber criminals hijacking an advertising network that serves high profile websites, again taking advantage of browser-based vulnerabilities.
Experts have theorized that a ransom ware attack inspired by old internet worms like Conflicker, CodeRed and Slammer could automatically hunt down the next target without any user interaction, resulting in a massive global attack. But until last Friday, this type of attack was not broadly observed. Then WannaCry burst onto the scene, ripping through networks and causing significant disruption to organizations worldwide. WannaCry exploits a flaw in the ubiquitous SMB protocol used to access shared files and printers, and once a system is infected, it leverages the infected host to find the next victim.
The vulnerability that WannaCry targeted is, like most other ransom ware, quite well-known, and a fix has been available for two months. Still, the WannaCry malware targeted those systems that didn’t have the patch applied.
Patching Patching is difficult. IT and security teams can't control everything and the things that they can control can't always update quickly. It has become increasingly easy to deploy changes into environments, but there are systems that can’t just be updated with a click of a mouse button or a simple script. Fragile artifacts exist in many environments; taking down a manufacturer’s production system — or even reducing efficiency due to scanning or maintenance-induced latency — is rarely greeted with smiles.
Protection Inability to patch in a timely manner shouldn’t be an excuse for poor cyber hygiene. WannaCry could have been stopped in two different ways:
1. Deploying the MS17-010 update, or 2. Firewalling off SMB to vulnerable systems
If patching critical issues like MS17-010 could cause disruption to the business, then compensating controls must be put in place and proper, risk-based decisions must be made. Put simply if you can’t patch it, protect it.
If the system that controls an MRI machine is exposed due to an attack vector like MS17-010, then perhaps the main hospital network can operate without SMB access. If Windows XP is required by a factory automation manufacturer, the vulnerable systems must be treated like the security threats that they are — ring-fenced and monitored for unusual activity.
To do this effectively though, organizations have to understand their environments and exposures, which in itself is a significant hurdle many struggle to conquer. Continuous visibility into the vulnerability status of every asset in the modern computing environment is critical in understanding the business impact of ransom ware attacks like WannaCry and to fundamentally improving how your organization thinks about cyber security.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house
Share this article:
Tags assigned to this article:
About the author
The Author is Technical Director, EMEA,Tenable Network Security