Executive summary
The WannaCry ransomware infection spreading across the globe could have easily been averted, at least technically. However, the fact that so many organizations were hit goes to prove that following standard IT and security best practices is not as easy and straightforward as it seems. Reconciling the view of CISOs and CxOs is complex and requires cross-team work and strong governance.
Now, this attack might be seen as an opportunity to get there: rethink how organizations prioritize their defences against cyber threats and promote strong security governance. In particular, this event could act as a trigger to help organizations create, foster and strengthen both an internal and a global security culture bringing together IT processes, governance, communication, legal and HR aspects.
The Facts
The WannaCry ransomware spreading to organizations across the globe has struck more than 200,000 victims, in more than 150 countries over the weekend of May 13, 2017. The magnitude of the attack, qualified as at “an unprecedented level” by the European Union Law Enforcement Organisation (EUROPOL), makes use of a vulnerability stolen from the US National Security Agency and published by the hackers group “The Shadow Brokers” on April 14, 2017. At this time, the vulnerability had already been patched by Microsoft for supported systems since March 14, 2017. Following the outbreak, a patch was later published for unsupported systems on May 13, 2017.
Many organizations were severely struck by WannaCry and as a consequence suffered critical loss of data and heavy disruption to their operations.
Sadly, to many IT and cybersecurity professionals this attack was neither surprising nor inevitable. And while the focus is still on recovery, now is a good time to reflect on how we can improve our approach to cybersecurity to make subsequent attacks less devastating.
Many of CyAN’s multidisciplinary consultants were active in helping organizations recover from WannaCry infections and are now able to offer a higher view on the events, with the hope organizations will see beyond the disruption of the attack and focus on the opportunity presented by the events.
Root causes
The WannaCry ransomware was successful because of a combination of three technical factors:
- It relied on a vulnerability that was, at the time of propagation, un-patched on legacy, unsupported Microsoft systems still used within many organizations.
- It relied on slow patching processes within organizations, meaning that even though a patch was available to current supported versions of Windows since March 14,2017 (two months earlier), many systems still were unpatched.
- It benefited from the slow adoption of the Windows 10 operating system in the corporate world (the latest Windows version being unaffected by this threat)
Thus, the root cause of this infection can be determined to be:
- Old, unsupported, versions of the Windows operating system still running critical systems.
- Slow patching processes.
- Slow acceptance of Windows 10.
Secondary causes can be determined to be:
- Lack of control on internal systems visible from public Internet
Discussion
- Organizations should be aware that zero-day attacks (of which WannaCry is not) are reasonably rare and the organizational priority SHOULD be to address known vulnerabilities first, despite many vendors pushing “anti-zero day” solutions.
- This attack highlights the “If it works leave it alone” mentality still prevalent within many organizations. This should be a wake up call to address known problems in a more structured and efficient approach.
- Whether your organization is affected, this attack should be seen as a trigger opportunity to identify critical systems that are not adequately monitored. It is also a reminder that, older, perhaps forgotten systems should be patched, updated or taken offline. Lastly, it is a call to improve upon slow or inefficient patch management processes.
- It is prudent to conduct a review of all older systems connected to the Internet, especially those not protected by a hardware firewall device.
- Vulnerable, un-patched, older operating systems still used in production is not a Windows-specific issue. Organizations should take steps to ensure no system – whatever its operating system – is left un-maintained. Software management frameworks can help IT teams keep multiple OS environments up-to-date.
- One should ask IT and cybersecurity departments why an email sent to an unprivileged office account in corporate HQ can lead to a factory assembly line shutting down (or how an un-patched older system publicly accessible from Internet can lead to the same consequences).
- Such attacks have an important human side. The better trained and aware employees are, the less frequently they will fall prey to social engineering attacks (i.e. click on fake links sent by email, open fake Word documents, etc.) and the faster they will comply with IT instructions during such an attack. Cybersecurity is not entirely a technical problem—human behaviour plays a critical role.
- IT and cybersecurity managers should view this attack as an opportunity to assess that elusive ROI of security to unlock security funding (as compared to the cost of shutting down a vehicle assembly line, or of a hospital not being able to accept new patients…)
- Crisis management should be anticipated with a proper crisis management plan. The more advanced plans include two different crisis cells (management and operational), linked by a “translator” role able to coordinate between the two teams.
- Last but not least, the role of governments must be taken into the equation: developing adequate legal frameworks to clarify roles and responsibilities in securing networks and systems, strengthening cybersecurity governance models, facilitating information sharing are key elements for a more resilient society.
Corrective measures
Besides short-term corrections that have already been publicized (applying Microsoft MS2017-010 patch to protect against the vulnerability been exploited, disabling SMBv1 protocol, blocking all versions of SMB at the network boundary…), organizations should make sure to:
- Since this is a Windows-only issue, organizations relying on the Windows operating system should upgrade to more recent versions (not necessarily Windows 10). While this may not always be possible because of compatibility issues between older software with newer Windows versions, upgrading should be a priority nevertheless and alternative vendors should be sourced whenever possible. Organizations should make it clear to critical software vendors that they consider it unacceptable to not support more recent OS versions.
- Good and regularly tested backups should be made a priority as well as regular training exercises to restore those backups.
- Work should be done to update the organizations’ asset inventories and network maps to guarantee the ability to isolate nodes, as well as audit and enforce compliance with security architecture best practices.
- Careful planning and training should be required of employees within all departments as well as to outside contractors. Organizations should view their cybersecurity in a holistic way and consider creating and sustaining a internal and a global security culture spanning across departments, bringing together IT processes, governance, communication, legal and HR aspects.
A global approach to cybersecurity
It is CyAN’s approach to consider security within an organization as a global ecosystem made of people, technology and processes, that must work together and be maintained.
Within CyAN, experts not only in IT and cybersecurity, but also in communication, corporate finance, fraud protection, legal and HR work together to bring a coherent cybersecurity vision gleaned from their experiences. This approach must be applied from top to bottom (from the board of Directors to the intern) as proper governance, but also from bottom to top, making information and intelligence available to decision-makers and allowing for better governance. The WannaCry infection underlines perfectly why such an approach is key, and it should be used by organizations as an opportunity to embark on a global and coherent review of their security posture in order to prevent such a massive, yet perfectly avoidable attack from happening again.
Credits
This report has been prepared for CyAN, the Cybersecurity and cybercrime Advisors Network (http://testwp.cyan.network) by Jerome Saiz with input from the following CyAN consultants: Christian Aghroum, Abdul Hakeem Ajijola, Oriane Barat-Ginies, David Bizeul, Cormac Callanan, Peter Coroneos, Daniela Fabian, Markko Künnapu, Richard C. LaMagna, Maelle LeLardic, Jean-Christophe Le Toquin, Andrew Lewman, Thomas Rickert, Françoise Sance.