Three security experts share their thoughts on what the WannaCry ransomware attack taught us about the industry.
Raj Samani, Chief Scientist and McAfee Fellow, McAfee
Raj Samani is a computer security expert who has assisted multiple law enforcement agencies in cybercrime cases, and is special advisor to the European Cybercrime Centre (EC3). He has been recognized for his contribution to the computer security industry through numerous awards.
I saw a lot of the coverage related to the impact of WannaCry, particularly within the health sector. It resonated about the significance of the work that we as an industry do. I don’t want to sound melodramatic here, but the role that we have in safeguarding society should now be apparent by more than just us.
As an industry, we have been warning about the escalation in ransomware attacks and the migration from consumers to targeting businesses. Likewise, the warnings about IoT fell on deaf ears until Mirai made an appearance (although you can argue whether or not any changes actually occurred).
The role we play as an industry has to be more than just simply warning about the vulnerabilities within the systems society is placing an increasing reliance on, and then sacrificing sleep to respond to the threats when they are realized.
The industry came together and we saw a degree of collaboration that was unprecedented. Some of this was very visible with TweetDeck becoming a management console to collate intelligence from a variety of sources. In addition to the collaboration, we saw rapid responses from the industry to define the threat, update security products and educate impacted and concerned organizations within hours of the first reports for WannaCry.
In terms of better prevention, detection and remediation, my advice would be not to accept the risk.
Lack of cyber-hygiene has been cited as the reason that the propagation for WannaCry was so successful. This, of course, resulted in an angry response from individuals arguing that it’s not as simple as just applying a patch! The reality is that many organizations simply cannot apply security patches immediately, so rather than just accepting this risk, considering alternate controls could be an option.
I would suggest the biggest lesson that security practitioners should take from WannaCry is to identify the appropriate sources for information.
Information security professionals need to take to their boards the message that IT risk is a business risk. Boards must recognize that the reliance on digital systems is almost complete, and the myth that we can simply revert to manual operations when these systems are unavailable must now be quashed. To conclude, the CISO/security team are an integral part of your business.
Robert Holmes, VP Products, Proofpoint
With over 15 years’ experience in brand and fraud protection, Robert currently drives the strategy at Proofpoint. Robert joined from Return Path, where he served as senior vice-president and general manager for email fraud protection. He has an MA (Hons) degree in Philosophy, Politics & Economics from the University of Oxford, England.
On Friday May 12, organizations around the world found that their critical IT infrastructure had been compromised in the global WannaCry ransomware attack. Hospitals, factories, railways, telecoms, electricity providers, petrol stations, shopping malls, banks, governments, police – the list of affected organizations offers a sobering insight into today’s cyber-vulnerabilities. However, it is worth considering some of the positives that came out of the WannaCry attack.
First, the message to companies not to pay ransoms clearly is getting through, which is great news as we strive to starve cyber-criminals of funding. Only $89,679 of ransoms were paid to the cyber-criminals behind WannaCry (Bitcoin payments converted at the USD:BTC exchange rate on the day of payment). Some analysts reported ransoms of $150,000 but those are inflated as they didn’t consider the fact that 80% of ransoms were paid on or before May 16. Since then, the value of Bitcoin relative to the US dollar has increased by 72%.
Second, it has become clear that many of the 300,000 estimated infected computers had sufficient redundancy and recovery programs to withstand the attack. The fact that 99.9% of infected computers didn’t pay the ransom (less than 250 actual ransoms were paid) means that either those computers weren’t critical, or what was on them was covered by back-up computers or processes.
The National Health Service (or, more accurately, the funding thereof) also came under fire and while we clearly need to better manage the risk that cybercrime poses to critical infrastructure, we should also take some positives from the experience. Not only were critical A&E services unaffected, but normal services were restored within three days. Given the enormity and complexity of the NHS, that is a phenomenal effort. I am confident that, were the NHS to be hit with a similar attack, the lessons learned from WannaCry would see a dramatic improvement in the three-day restoration lag.
Finally, it has been incredibly encouraging to witness the speed with which the cybersecurity community reacted: within just hours of the initial infection, researchers from across many different security companies had collaborated to sample, sandbox, understand and neutralize the threat. Microsoft also took the extraordinary and, in my view, laudable step of issuing a patch for XP within days of WannaCry breaking. There will be more sophisticated attacks in the future with less obvious kill switches, but it’s encouraging to know that this community is alert and ready to swarm.
If we are ever to truly solve cybercrime, the whole of society needs to develop a heightened awareness of its presence and potential impact.
Brian Honan, CEO and Principal Consultant, BH Consulting
Brian Honan is one of Ireland’s foremost experts in cybersecurity. Brian has advised various government security agencies, including ENISA, the European Commission and Europol’s CyberCrime Centre (EC3). Brian also established Irisscon, the annual Irish cybercrime conference.
The biggest lesson that WannaCry taught to us as an industry is that we will always be at risk from legacy systems. Some of these may be old computers that have simply not yet been upgraded for whatever reasons, but others will be key business equipment or devices designed to last for many years using an embedded operating system with a shorter lifespan. These systems are often quite expensive so they can’t be patched, nor can they be easily replaced. So we need to look at other ways to protect these systems and our networks, rather than solely relying on patching.
The impact on the NHS and production lines in major corporations also taught us that computers are not the victims any more. Businesses, and indeed people’s lives, are potentially at risk from future cyber-attacks.
It was notable how the industry pulled together to try and stop the attacks. We witnessed security firms, researchers, and CERTs all share details of the attack as it was ongoing. Many organizations, including BH Consulting, published guides and recommendations on how to prevent infection from the worm and what to do if you did become a victim. This was the digital equivalent of a disaster and how communities pull together to recover from the effects and help the victims.
The downside with WannaCry was how widespread it became. At the heart of it, WannaCry is a computer worm. It is frustrating that after many years, even decades, of our industry developing tools and methodologies to defend against these type of attacks, WannaCry was able to wreak such damage.
We need to design our networks and systems so they are better segmented and easier to defend or isolate in the event of an attack. Companies should look at hardening the operating systems of computers to reduce the ability of malicious software to execute, such as preventing executable files from running in temporary folders and whitelisting trusted applications.
What lessons should information security practitioners take from this incident? We should learn that there is no silver bullet or magic pixie dust that will make your systems secure. Good old-fashioned security principles of network segmentation, access controls, patch management, backups and having robust tested incident response plans in place is the key. Information security practitioners should look for ways of making their business more resilient to attacks. In the event of a breach, your business should still be able to continue and function as near as normal. So look at how to integrate your security incident response plans with your business continuity plans.
Now is the time to tell boards they can no longer think that cybersecurity is the domain of the IT department. Cybersecurity is a key business issue and the risks associated with it should be managed at the highest level. Boards need to make more resources available to protect their systems, which at the end of the day, are the backbone on which many businesses rely.