It’s hard to overstate the damage that the spread of the WannaCry ransomware attack has had and will continue to have across the globe.
The attack, which hit hospitals, telecoms, transit, universities and utilities across Europe and Asia last Friday, is a massive one that will end up costing untold billions of dollars, risking who-knows-how-many lives, and taking an immeasurable toll in lost business and remediation.
For years, U.S. officials like retired Gen. Michael Hayden, former director of the NSA, have warned of the massive vulnerabilities of our infrastructure to cyberattacks. Although the U.S. was not a major target in this potentially first wave of attacks, those officials have the cold comfort of knowing they were right. We, and the rest of the world, are woefully unprepared to fight against coordinated cyber attacks.
To make matters worse, the NSA developed the tool hackers used to unleash the “WannaCry” ransomware on the world. Code-named “EternalBlue”, the hacking tool the security agency created was used to hack into millions of Windows computers by exploiting a vulnerability in a network protocol. That tool was obtained by a hacking group called Shadow Brokers and released “into the wild” last month.
Still, Microsoft had released a patch to close the vulnerability, back in March. For those of you who want to run to your computers and check, it is MS17-010. Obviously, massive numbers of systems — from servers to desktops — are unpatched and vulnerable.
If we are lucky enough to have dodged a bullet in the U.S., we should count ourselves very lucky — especially since we created the monster in the first place. But we shouldn’t go back to business as usual. There are lessons to be learned — and work to do.
It turns out Apple was right.
In the fall of 2015, Apple and other technology companies were embroiled in a controversy over privacy vs. security. At issue was an encrypted phone used by a “terrorist” that the FBI demanded Apple hack into. When that request failed, a national conversation ensued over suggestions that technology companies build backdoors into all devices so law enforcement and homeland security could adequately “protect us.”
Apple, Google and, yes, Microsoft, demurred because a backdoor would put everybody at risk. And it turns out they are right. Very little, in fact, really nothing is safe and secure. Last week’s hackathon certainly proved that.
Tools we create to defeat security measures, whether we’re cop or criminal, are inherently unsafe. Even the NSA can’t keep their work product safe.
What’s your excuse for not patching systems?
Let’s see. We’re too busy. Something might break if we do. We haven’t had time to test.
No one ever wants to believe that the answers to big problems can be simple. But sadly, they can be. The fact of the matter is, systems that had installed the critical patch delivered in March did not get hit. Q.E.D.
Of course, there are legitimate reasons why some companies lag behind in patching. Some systems landscapes are so complex that a test bed is required to ensure a critical piece of the operation doesn’t go down when a patch is applied. Not unsurprisingly, those hypercritical systems — hospitals, utilities, hydroelectric plants, law enforcement agencies, banks, and brokerages — are exactly the key targets for this attack and other large, coordinated efforts in the past.
But not all unpatched systems fall into this category. A year after the vast Heartbleed exposure in 2014 that opened a hole in the very system that provided security to nearly every public-facing server in the world, three out of four of the Forbes 2000 companies had still not deployed the patch that had been available for nearly 12 months.
If your business is at this level, then you need a permanent test bed and the staff to regularly review, test, evaluate, and deploy critical patches. For the rest of us, not patching is a weak excuse. And, this week, a costly one.
It still takes a user.
An unpatched system in and of itself is just a petri dish. But layer in an authenticated user, who clicks where they shouldn’t and — whamo — you’ve got the technology equivalent of Ebola.
And that’s exactly what happened here. Attackers sent an encrypted zip file, which is harder for intrusion detection systems to scan. And yet, over and over, the file was opened, spreading throughout attached devices and computers on the user’s network.
When I talk about cybercrime and security, I often hear: “Everyone knows that.” Clearly, everyone doesn’t. And that’s a pretty expensive sandbox to bury your head in. The ransom demanded for each hack so far totals over $30 million.
Have you been hit by ransomware? We want to talk to you. Share your experiences with other businesses who need to know this is a threat is not happening “to someone else.” Email [email protected].