We Could Have Prevented WannaCry

If you were one of the 200,000+ (and counting) individuals who were impacted by the WannaCry ransomware attacks, you have my sympathy. You really do.

That goes triple for all of my IT/InfoSec brothers- and sisters-in-arms who spend dozens of hours every week trying to protect organizations from attacks like this one.

And launching the attack on a Friday? That’s stone cold savage.

In the nearly two decades that I’ve been working in IT and InfoSec, I’ve worked with businesses of all shapes and sizes: everything from small not-for-profits with zero full-time IT employees to multinational corporations with an annual revenue stream in the billion$.

Over that span of time, I’ve learned a thing or two.

For example, I learned that the first ransomware attack occurred nearly THIRTY YEARS AGO. No joke. In 1989, a guy named Joseph Popp loaded a Trojan horse onto a bunch of floppy disks and mailed those disks to some of his closest “friends.” The Trojan replaced the autoexec.bat file on the infected systems, which in turn counted the number of system reboots. Once the counter hit 90, Popp’s ransomware started hiding directories and encrypting filenames, showcasing a ransom note in the form of a EULA.

Fast forward to 2017, and wannabe criminals with little to no technical knowledge can now subscribe to Ransomware-As-A-Service via the dark web. Scary stuff.

Another thing I’ve learned, though, is that we ALREADY KNOW how to shut down attacks like these before they even start. We’ve known for some time now.

Take WannaCry, for example…

WannaCry takes advantage of the EternalBlue exploit code included in the NSA data leaked by the Shadow Brokers in April 2017. The exploit targets a vulnerability in how Windows systems share files and other resources (SMB). Microsoft released a patch in March (one month before the Shadow Brokers data dump) for supported versions of Microsoft.

(Quick aside: Microsoft insists that their hands are clean here, but they knew full well that there were still millions of active Windows XP installs globally, with thousands of XP systems directly accessible via the Internet. Their initial decision to not release a patch for XP was profit-driven, plain and simple, but let’s set aside corporate ethics for now and focus on the topic at hand.)

WannaCry does the following:

  • Targets an insecure version of a popular network service;
  • Jumps from infected systems to uninfected systems on the same network;
  • Exploits a patchable vulnerability (on supported operating systems); and
  • Counts on the possibility that backups are not available.

You see where I’m going, don’t you?

Organizations impacted by WannaCry could have shut down this attack before it even started if only they’d:

  • Disabled unnecessary services in the Internet-facing firewall;
  • Disabled insecure versions of those same services on the internal host systems;
  • Applied available security patches in a timely manner;
  • Upgraded host systems to supported versions of the OS; and
  • Configured backups on systems hosting critical data.

If only…

The real kicker is that there’s nothing groundbreaking in that list of security controls. They’re all IT/InfoSec 101. Basic stuff. Fundamentals.

So the real question is, “Why do we still struggle with the fundamentals?”

My opinion? We’ve been coming at security from a “run, then walk” standpoint, when common sense tells us it should be the other way around.

Businesses are expected to comply with dozens, if not hundreds, of IT security controls. Frameworks like ISO 27002 and NIST SP 800-53 are too complex for many small and medium business owners. The CIS Controls hit a little closer to the mark, but as someone who’s worked directly with business owners struggling to understand what they need to do in order to protect their businesses and the people that rely on them, I can attest first-hand that there’s still a considerable gap.

That’s where the Common Sense Security Framework comes in.

Every discipline has its fundamentals. Musicians learn chords and scales before they learn to play more complicated pieces. Athletes execute hours of passing, catching, and running drills before they set foot on the field for an actual game. Every university in the world insists that students take core classes before they dive into their major field of study.

So why don’t we follow that same practice in InfoSec?

My argument here is that we can, that we should, and that those fundamentals would have absolutely shut down WannaCry before it even started.

The CSSF is divided up into seven (7) areas of protection.

  • Protect Your Applications
  • Protect Your Endpoints
  • Protect Your Network
  • Protect Your Servers
  • Protect Your Data
  • Protect Your Locations
  • Protect Your People

For each area, the CSSF asks three (3) questions about an organization’s security controls. If you can’t answer yes to each question, then you don’t need to look any further. You’ve already pinpointed critical weaknesses that attackers are highly likely to exploit.

If you can’t answer yes to all twenty-one (21) questions, it doesn’t matter how much you’re spending each year on security: you’re going to get hit.

The best part is that the CSSF is HEAVILY based in free and open source solutions. I know how challenging it can be to justify a risk/security budget when your business is managing other risks (like competitors, production challenges, and making payroll). The CSSF includes commercial recommendations for organizations with the budget to afford them, but the controls themselves don’t change.

Keep in mind that the CSSF isn’t meant to represent a be-all/end-all InfoSec program. Rather, it represents the basic security skills you need to put into practices before you’re ready to step on the field and play the game.

You’ll still need to do PCI if you handle credit cards. You’ll still need to comply with HIPAA if you handle electronic protected health information. You’ll still need to comply with the alphabet soup that is GLBA, SOX, FERC, NERC, FERPA, COPPA, and FFIEC, depending on your industry.

But compliance is not security, folks. Compliance is a next step.

Walk, then run.

If you’re a small/medium enterprise, go through the CSSF questionnaire and figure out where your gaps are. If you don’t have a full-time IT/InfoSec staffer, find a local shop that can help you out. There are IT and InfoSec providers all over the WORLD who are more than capable of helping you out, and let’s be frank: if your IT infrastructure is critical to your business, you need to manage it accordingly.

If you’re a large enterprise, try using the CSSF as a core component of your InfoSec metrics program. Wouldn’t it be nice if you could directly connect the metrics you’re presenting to your board to your ability to prevent any impact from attacks like WannaCry? I have a hunch your board members will REALLY dig those numbers.

While the CSSF is geared toward organizations, there’s an opportunity here for vendors, security communities, and open source aficionados to develop CSSF-based solutions to help simplify InfoSec for home users. Not every control in the CSSF is going to apply on the home front, but the ones that do are relatively simple to automate.

In a world where we collectively put forth the effort necessary to implement and maintain those fundamental security controls, $4 billion dollar attacks like WannaCry never get the momentum they need in order to trigger a global information security incident.

The big question is: Are we willing to take action before the next WannaCry rears its ugly head?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s