ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > WannaCry: Is this a Watershed Cyber Security Moment?

WannaCry: Is this a Watershed Cyber Security Moment?

Raef Meeuwisse, CISM, CISA, Author, “Cybersecurity Exposed”
| Posted at 6:57 AM by ISACA News | Category: Security | Permalink | Email this Post | Comments (12)

As I watched the news, I was struck by the inaccuracy of much of the initial coverage of the massive wave of ransomware attacks that surfaced on 12 May. Even my partner thought that the National Health Service (NHS) computers, as well as other targets around the world, were being intentionally targeted by a coordinated global cyberattack.

The truth was far worse. This was no more than an infection designed to take advantage of environments that failed to have even the most basic of cyber security protection in place.

This malware, known by various names including WannaCry and Wanna Decrypt0r, is understood to have originated from a leak of the US NSA cyber tools. However, the leak and the malware tools were widely known about. There were plenty of fixes available to prevent the malware from working.

To prevent this particular malware from operating, all organizations had to do was be running on a supported operating system that had applied the latest software updates. (The patch to prevent this malware from working had been released by Microsoft to their supported operating systems back in March).

Even if your computers were not patched, or were running an unsupported operating system, if your organization had selected a more effective anti-malware solution, that also would have been enough to prevent the malware from working.

Where the malware entered an unprotected computer on a network, it had the ability to then seek out other undefended computers on the same network. Almost like a red team identifying vulnerabilities, the malware highlighted organizations and computers that were running with unsupported operating systems, unpatched operating systems, wide open network topologies and less effective, or completely absent, anti-malware protection. One-by-one, the worst configured and maintained environments that received the malware started to experience substantial disruption.

The consequences of this event are devastating. The interruption has affected services that included the provision of healthcare services, and some healthcare staff have already alleged that this event is likely to have led to several unnecessary deaths due to many clinical services becoming temporarily unavailable. In fact, the ISACA publication on healthcare IT governance I had just finished drafting had included some statistics about how faulty technology in healthcare environments leads to hundreds of deaths and thousands of serious injuries each year, based just on the UK figures from the UK regulator MHRA (Medicines and Healthcare products Regulatory Authority – the UK equivalent of the US Food and Drug Administration).

So, will this event finally help cyber security practitioners that have failed to get buy-in from their management to make the changes they need? I hope so.

This event should be a wake-up call. The Internet is a dangerous place IF your computers and networks are not taking at least basic precautions.

For those executives who thought that because this type of event never used to happen, it never will, it is time for a rapid rethink while you still have an organization to protect.

Editor’s note: Raef Meeuwisse, CISM, CISA, is author of several cyber security publications, including “How to Keep Your Stuff Safe Online,” available at iTunes: https://itunes.apple.com/gb/book/how-to-keep-your-stuff-safe-online/id1212130763?mt=11&ign-mpt=uo%3D4

Comments

Re: WannaCry: Is this a Watershed Cyber Security Moment?

Hi, Raef

Excuse me, but I want to take advantage of your post, and consult to the ISACA Comunity if someone tested the Tool: "NoMoreCry-v0.3" (Development by CCN-CERT). It is mentioned like a interesting  tool to protect us of the WannaCry Ransomware. Link to see: https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4497-ccn-cert-nomorecry-tool-v-0-3-actualizada-la-vacuna-frente-a-wannacry.html
HEBER733 at 5/15/2017 4:40 PM

Re: WannaCry: Is this a Watershed Cyber Security Moment?

Hi, Raef

Excuse me, but I want to take advantage of your post, and consult to the ISACA Comunity if someone tested the Tool: "NoMoreCry-v0.3" (Development by CCN-CERT). It is mentioned like a interesting  tool to protect us of the WannaCry Ransomware. Link to see: https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/4497-ccn-cert-nomorecry-tool-v-0-3-actualizada-la-vacuna-frente-a-wannacry.html
HEBER733 at 5/15/2017 4:56 PM

If we truly want a solution to cyber security, join the revolution.

Raef dear - let me assure you - last week event will not change anything, it cannot.

Who will change it, our governments? Their language is regulatory driven, and we already been in that situation, and as my late grandmother used to say it's all Bubkes. Who will change it, our ExCo? Most of the information security risk assessments we provide is still based on point estimates, which is useless.

If ISACA wanted to really make a difference it would have adopted the FAIR methodology that Jack Jones has developed, and declare point estimates as invalid way of estimating cyber risks.

If we truly want to see a change, we must join the revolution...
https://www.linkedin.com/pulse/revolution-eh-den-biber
infoseq at 5/16/2017 1:06 AM

Zero Day vulnerabilities and Anti-malware

Dear Raef, Thank you for writing this article and insights you provided. However, I have to disagree on one point where you stated 'Even if your computers were not patched, or were running an unsupported operating system, if your organization had selected a more effective anti-malware solution, that also would have been enough to prevent the malware from working.'
Actually even if you have the most powerful anti-malware on  unpatched windows systems, it wouldn't have been able to detect that ransomware because it targeted a zero-day vulnerability meaning that the anti-malware has no definition of the malware signature by the time attack was initiated. That's why it infected as many systems. Although anti-malwares might have a signature by now, windows  systems are not safe unless that vulnerability is patched.
Sarah074 at 5/16/2017 6:18 AM

A change gonna come!

Hi Raef
The last weekend WannaCry ransomware attack is a milestone in the Board Members cyber-awareness.
Many of these guys discovered that a threat can happen anytime, unattended!
Chances are some of them reacted very well and are able to implement a solution in a very short time.
I agree with when you state that many of these institutions and companies could have been protected by basics security hygiene rules: updated security patches is on the major rule and this rule rule in in the Board Room from now.
Nice article by the way! And I loved your books (Cybersecurity for Beginners & Cybersecurity Exposed)!
Mamane
Mamane at 5/16/2017 12:48 PM

A change gonna come!

Hi Raef
The last weekend WannaCry ransomware attack is a milestone in the Board Members cyber-awareness.
Many of these guys discovered that a threat can happen anytime, unattended!
Chances are some of them reacted very well and are able to implement a solution in a very short time.
I agree with when you state that many of these institutions and companies could have been protected by basics security hygiene rules: updated security patches is on the major rule and this rule rule in in the Board Room from now.
Nice article by the way! And I loved your books (Cybersecurity for Beginners & Cybersecurity Exposed)!
Mamane
Mamane at 5/16/2017 12:53 PM

Re: WannaCry: Is this a Watershed Cyber Security Moment?

Read "one of major rule ...." in my previous post!
Mamane at 5/16/2017 12:54 PM

Zero Day and AI Anti-Malware

Hi Everyone - thank you to everyone for all of these comments.

I want to be vendor neutral - but just to mention 2 things:

1) Several anti-malware products were already effective against the malware attack by May 12th, including Kaspersky.

But what about when it was a zero day threat?

2) At least one anti-malware product that uses machine learning techniques was rolled back 1 year in version and tested to see if it detected and blocked WannaCry.  It did. https://twitter.com/CarlGottlieb/status/863157545552289792 

If you know of others that are also zero day effective - please feel free to post them.

Part of the message I wanted to convey is that there are now more and more solutions that can defeat MOST (but not all) zero day threats, at least in many standard endpoint devices (servers, laptops, smartphones).

You can even completely block shell scripts from running in a hyper secure mode.

I hope this helps - please keep adding you thoughts, insights and additional information.

Best regards

Raef
Raef at 5/16/2017 3:03 PM

WannaCry is a worm

Based on the latest information WaanaCry fits well into the classical definition of worm. It has two main parts, a worm module and a ransomware module refer to https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99&tabid=2

WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents. In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted—a commonly used fear-mongering tactic.

What makes WannaCry’s impact pervasive is its capability to propagate. Its worm-like behavior allows WannaCry to spread across networks, infecting connected systems without user interaction. All it takes is for one user on a network to be infected to put the whole network at risk. WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network.
Tariq296 at 5/18/2017 10:18 AM

Where is ISACA official note for members to deal with WannaCry

ISACA as a leader for IT auditors must lead to provide guidance to auditors for preventing this work, here are my two cents:
1. Patching is critical and is available for Windows systems, including those no longer supported by Microsoft. If you can’t patch directly, using a virtual patch can help mitigate the threat.
2. Deploying firewalls based intrusion prevention systems can help reduce the spread of this threat.
3. Red flags on socially engineered spam emails, Phishing Mail subjects, Malicious Domains and IPs, refer to https://trapx.com/wannacry-thoughts-and-threat-intelligence/.
4. Application control based on a whitelist can prevent unwanted and unknown applications from executing to avoid malicious components in the system.
5. Disable the SMB protocol on systems that do not require it.
6. Create alerts in log for smb to detect possible exploits.
7. If mssecvc.exe, one of WannaCry’s components, is already in the system, the kill switch—as long as it is there—will prevent WannaCry’s encrypting component from being dropped in the vulnerable machine. IT/system administrators and InfoSec professionals can still do the necessary incident response and remediation tasks—updating and patching the system in particular.
Tariq296 at 5/18/2017 10:20 AM

ISACA Reaction to WannaCry

BTW,  SANS has created a storm center to monitor wannacry  https://isc.sans.edu/  did ISACA did same to keep members inform? 
Tariq296 at 5/18/2017 10:22 AM

healthcare IT governance

wouldn't mind being sent a link to that publication when it is available please. Thanks
William809 at 5/19/2017 10:49 AM
You must be logged in and a member to post a comment to this blog.
Email