WannaCry, the recent devastating global ransomware attack, is now the largest of its kind in internet history. The attack has breached hundreds of thousands of computers in more than 150 countries, crippling a wide range of enterprises, from hospitals and universities to banks and warehouses.
In order to breach an enterprise, WannaCry and other forms of crypto-malware have been delivered in zip files, documents, or executables from the web, email attachments and on USB keys. Once WannaCry has infiltrated an organization, it moves laterally, holding computer networks hostage until a ransom is paid. I explained exactly how this process unfolded in a recent blog post:
“The WannaCry crypto-malware variant uses the EternalBlue vector to move laterally in an organization. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target. To attack a target, the attacker must be able to reach it – crossing the firewall. If a compromised computer has mounted shares or knows how to reach an SMB server, the attacker can use this to propagate from the compromised device to the SMB server.”
While the attack is now largely in the rearview mirror, ransomware is still very much a concern among enterprises. WannaCry has created a number of lessons in its wake, and it’s important we take them into account in order to prevent an attack of this scale from happening again.
The first lesson is that quickly patching vulnerable systems is fundamental to stopping lateral spread in any organization. Next is that WannaCry, which was made possible by a leak of the NSA’s hacking tools, served as the latest reminder that the “good guys” cannot keep vulnerabilities from falling into the wrong hands. But the most important takeaway is that humans will continue to cripple cyber security so long as it continues to play such a prominent role in protecting the enterprise.
Although Microsoft publicly released a patch addressing this specific vulnerability weeks before, the thousands of personal computers displaying the now-infamous red ransom script illustrated few had implemented it as instructed. (Of course, it’s not just humans that are to blame — it’s the security paradigm. Windows XP users did not have this option since XP has been unsupported for three years.)
As I said in my commentary on the attack, “As long as the industry continues to play this neverending cat and mouse game of patchwork systems, sophisticated attackers will easily find ways to exploit the public in increasingly large scale attacks such as this.”
At Bromium, we released an industry study just a week before the WannaCry attack that underscored the point that humans continue to be the biggest threat to cyber security. We surveyed security professionals at the premier cyber security event, RSA Conference, as well as sec pros from the U.K. and U.S., and were shocked to find it’s not just unsuspecting end users we need to worry about, but those tasked to oversee the security operation.
We found that on average, 10 percent of security professionals admitted to paying a ransom or hiding a breach without alerting their team. This means that for every 10 individuals on your team, it’s likely that one of them has committed this act of subterfuge. (Someone might have even done it for WannaCry.) Keep in mind, these are only respondents who were willing to be forthcoming about their behavior — if every security professional came forth about their behavior, I would expect this to be an even more alarming statistic.
There are several reasons why these undisclosed dealings are taking place on such a considerable scale. One is that ransoms typically aren’t that expensive. While paying $300 takes a cut of your checkbook, it is a small price to pay to maintain your professional reputation.
This leads into the main reason why professionals are hiding breaches: Getting owned is embarrassing. No one wants to face ridicule from co-workers or be reprimanded by their boss. But keeping these secrets from employers puts the enterprise at tremendous risk. Not only have you let someone into the network, but you’ve left a backdoor for the next breach, which is likely to be more complex. This finding not only speaks to the growing sophistication of cyber attacks, which are fooling those being paid handsomely to prevent them, but also to how we continue to underestimate the role humans play in cyber security.
he study also uncovered another deeply troubling finding: On average, 35 percent of security professionals admitted to bypassing their corporate security settings. No one is surprised when employees avoid security settings (at this point, it’s a given), but it is disturbing to see irresponsible decisions being made within the security department. When you can’t trust what’s happening on the front lines, it means the model is broken.
If there is one thing we should take away from the fallout of WannaCry, it’s that we are overdue for a reset in this industry. There is greater urgency than ever to map trustworthiness into technology, not humans. Cyber security solutions should eliminate human error, not enable it.
Enterprises need to embrace security that takes the burden off the end-user and ensures IT and security teams protect their business assets and data. Of course the positive corollary to doing that is end users go back to getting their work done without constraints placed on them by the security team.
While the potential losses from WannaCry are staggering, my hope is it will be a net positive for the industry that inspires sweeping changes across the board. Human nature is a variable that cannot be controlled, and as this episode demonstrated, it will continue to wreak havoc left unfettered. This attack should serve as a watershed moment that resets the security paradigm and actually embraces human behavior rather than try to change it.
Simon Crosby, co-founder and CTO of Bromium
Image Credit: WK1003Mike / Shutterstock