RM Information Security has been contacted by several companies today who are concerned about the WannaCry ransomware outbreak. In response, we have captured the thoughts and advice of RM Information Security’s Technical Director Mark Wityszyn.
What has happened?
On Friday 12th May the WannaCry virus started to infect computers across the world. It’s likely the initial computers were infected via email attachments which were opened by unsuspecting users. Once the computer is infected it trys to infect other Windows computers, on the same network, which have not been patched with the security patch MS017-10. The patch was released in March 2017.
The end goal of the virus was to encrypt the files of the infected computers and hold them to ransom for $300 increasing to $600 with the threat of deleting the files forever. Obviously once the computer is infected it becomes unusable until it is wiped and restored, which is what has caused the real impact to businesses.
Who is at fault?
2017, 2018, 2019 (or anytime soon) is never going to be the year where we don’t have to patch systems.
Even if a new operating system came out tomorrow, with a new way of creating applications that meant we never have to patch again, there’s a good chance we’d still all fall foul of problem’s like WannaCry for a long time to come because we have so much technical debt both in infrastructure and applications.
So if it’s not the businesses fault, is it all the NSA’s fault?
No, I don’t think it is. There are a lot of arguments about the roles of Government Agencies and privacy in general. And whether these government agencies even should be creating exploits and hacking everyone. This situation isn’t something I can easily influence so it’s better for us to concentrate on mitigating the risk rather than being drawn into the debate.
Is it Microsoft’s fault?
No, Windows is huge. Consumers complain about technology doing what they want it to do and this forces Vendors to place availability and services (read functionality and pretty user interfaces) as a big priority.
To some extent we should be happy the NSA had the exploit, it was leaked and Microsoft released a patch. So rather than MS017-010 being available in March and giving companies time to roll it out, this could have been far worse and been a 0 day attack with everyone scrabbling to come up with mitigations on the spot.
Where does security fit in IT Service Delivery?
Having previously worked for many years in IT Service Delivery Mark is aware of the real drivers for IT, which are:
- Availability of current systems
- Delivery of new systems
- Security of systems
The reality is that security come a close, but very real third requirement. And that’s not going to change anytime soon, businesses exist to make profit and the cost “of ultimate” security can be very restrictive. That’s why all business need to manage that risk.
Are things going to change?
From what we see day to day, IT systems are complicated. Some are new and really well hardened and delivered. Others are old and have to be, to support critical business functions.
The reality is that both will suffer with the passing of time and as technology moves on and new vulnerabilities emerge. The key is maintaining security in a cost effective way for the business to meet their goals.
It’s not just Microsoft with vulnerabilities. On every single test I have carried out, if I find the version number of any little bit of software, either a web component or network service, I look it up on http://www.cvedetails.com/ and 9.9 times out of 10 there will be some sort of vulnerability related to the software in question no matter how much you think it won’t be a target.
The reality is that we all have shiny mobile phones with fancy graphics and data at our finger tips, this veneer of modernity belies the reality that most infrastructure and business at some point will have old software with lots of vulnerabilities. It might be in a SAN, telephony, door access controls, databases or maybe all of them..
Surely this is a wakeup call for everyone?
Yes? But if you look at it from a risk perspective. The last occurrence of something similar was in 2008 with MS08-067. With a 9 year gap in occurrence definitely puts it in the low likelihood category. Even with a High impact the risk comes out as:
Low (likelihood) x High (impact) = Medium (risk)
I could be wrong and this could be the turning of the tide, but given so many businesses were affected I doubt that reputational damage will factor into anyone’s risk equation.
What can we do?
Understand the risks your systems face, document them in a way that the business can understand them and take a decision on what is the right action for the business as a whole. It’s a balancing act and all businesses will be different. But ignoring it will definitely be a bad idea.
Configure systems with the least amount of services possible. If it’s a web server, make sure it only offers port 80 and 443. If it’s a database server make sure it only offers database ports. This goes for workstations too. Disable all service and features that aren’t required. Default Windows is not a hardened business deployment it’s the version that shows the operating system in the best light.
Get used to patching. Most businesses have progressed massively since 2008, but few are at the point that they can drop through straight from the vendor. But as incidents like this show it might just save your bacon. Given it’s never going to go away, stop fighting it and try and live with it.
Layers and layers and layers. Onions are used as an example of how security should be deployed with layers of protection. This still works and when it comes to incidents, it’s amazing how these layers of technology can help mitigate issues when you have a major incident on your hands. AV, patch tools, inventories, network analysers, SIEMs, proxies, WAFs.
If you haven’t already - open your eyes to security, get in touch. At RM Information Security all our consultants have many years of proper IT industry experience before we moved into IT Security and can provide balanced advice and assurance that your business is properly protected.
For more information about RM Information contact us today at:
phone: 0161 2093939
To keep up to date on all our posts in the series and others go to www.rminfosec.co.uk/subscribe today.