Hard lessons banks should learn from WannaCry
The WannaCry ransomware attack that swept the globe on Friday, hobbling several hospitals in the U.K. and wreaking havoc on tens of thousands of computers, is still active, leaving desktops and servers at risk.
The ransomware’s effects are clearly devastating. Files are locked and inaccessible until a ransom—typically around $300 worth of bitcoin—is paid.
No banks have confirmed that they have been affected by WannaCry. News sites reported on Friday that BBVA and Santander had been affected in Spain, but spokespeople at both banks firmly said the banks had not been affected in Spain or the U.S.
Still, banks remain a top target for ransomware and it would be a substantial risk to the business if a bank were to become a victim. Imagine the fallout if banks were locked out of customer or transaction records for a long period of time.
The good news is that any computer loaded with up-to-date, well-patched software, effective anti-phishing and anti-malware tools and hot and cold backup should in theory be safe from ransomware.
But in even the most security aware companies, there are cracks in that security assumption.
The desktops and laptops of work-from-home employees who don’t use the company’s VPN or whose computers are not maintained as securely as on-premises equipment, for instance, are at risk. (It was a home computer whose network access hadn’t been upgraded to two-factor authentication that allowed hackers to breach 83 million records at JPMorgan Chase in 2014, for instance.)
Systems that are accessed by third parties, such as marketing service or infrastructure providers, are also vulnerable — there’s a chance that they don’t maintain strong security protocols. The Target breach was a high-profile example of this.
In some cases, the WannaCry ransomware broke into a company’s network through a successful phishing attack. There are phishing attacks that can defeat the best phishing filters, for instance where hackers take control of a legitimate email server and send malicious messages from it. No filter that looks at domain names would question them. Software that opens all links and attachments in a secure vault might help in this scenario, however.
The perils of not patching
The WannaCry ransomware attack underscores the importance of keeping software such as Windows operating systems up to date and patched, and the fact that many companies don’t do so.
WannaCry uses an exploit called EternalBlue that is generally believed to have been developed by the U.S. National Security Agency to break into computers through a weakness in Windows operating system code. It was leaked by the Shadow Brokers hacker group in April. The month before, Microsoft released patches for it and other Windows vulnerabilities. In other words, people who installed that update are largely protected from the exploit.
On Friday, Microsoft took the unusual step of also providing a security update for Windows XP, Windows 8 and Windows Server 2003, even though these versions are past their support cycles.
“Even if you have great spam filtering and good employee training, yet you have a large environment and you’re not on a good patch cycle, there is potentially the ability to be compromised through a Microsoft Windows vulnerability,” said Austin Berglas, head of cyberdefense for K2 Intelligence, a compliance and cybersecurity consulting and services provider. “This case has proven that organizations are woefully behind the times in their patching cycles. A patch was made available and organizations didn’t deploy it.”
Keeping software up to date seems like a simple task and a given for any security-conscious company such as a bank. But experts say it’s not as easy as it sounds.
A March survey by 1E of more than 1,000 U.S. IT pros found that only 9% of enterprises had completed their Windows 10 migrations, while another 38% said their migrations were underway. At 64%, the majority of respondents predicted that their migrations would take more than a year to complete.
Open door“This case has proven that organizations are woefully behind the times in their patching cycles,” says Austin Berglas, head of cyberdefense at K2 Intelligence. “A patch was made available and organizations didn’t deploy it.”Software upgrades in a large organization are hard and there’s often little visible reward for the effort.
“Companies have generally seen migrations as a big huge project and a project you can defer ad infinitum,” said Sumir Karayi, founder and CEO of 1E, a company that provides software patching services. “If you’ve got another project that comes along that’s about creating more business value or competitive advantage, then of course you’re going to choose that instead of Windows migration, which doesn’t give you competitive advantage. It’s just another version of Windows.”
Windows upgrades tend to take several years in large companies, he said.
“If you think about a project that lasts a year to two years, if I don’t have to do it, I probably don’t want to do it, or I want to defer it until the last moment," Karayi said. "This is what happened with Windows XP to Windows 7 migrations the last time around.”
Some U.K. hospitals that were victims of WannaCry hadn’t made the migration to Windows 7, which came out in 2009.
“Unless this mindset changes, people are not going to stay current,” Karayi said.
End users have gotten used to the idea of patching because their mobile apps are updated all the time, he pointed out.
“But IT needs to embrace the change,” he said.
Karayi recommends that every company run a regular report that shows whether it’s running current software or not. “Certainly the CIO should know,” he said.
Experts recommend automating the process of patching software.
“Don't leave patch management up to employees,” advised Al Pascual, research director at Javelin Strategy & Research. “Companies attempt to avoid creating business interruptions by allowing employees to dictate when updates are applied. With vulnerabilities being more quickly weaponized than ever before, companies that choose to institute a patch should do so uniformly and immediately, at the least overnight and outside business hours.”
Beyond software updates and patches
Good patching practices are not enough to prevent ransomware — the next attack, after all, could involve a zero-day exploit for which no patch has yet been issued. Defending a company against ransomware, like almost any cyberthreat, requires a layered defense.
One security practice that would help is segmentation — making sure that once the adversary has gotten in, they can only go so far and can’t reach critical assets.
“The practice of least privilege is making sure your users only have access to the information areas on your network they need to do their job,” Berglas said. “Overprivileges can allow for the spread of this type of infection quickly.”
Employee awareness and training is always important.
“Companies should provide regular training and audits on phishing awareness,” Pascual said. “The one constant across all devices is the user, and it's the weakness that criminals most depend on.”
Another effort is to detect malware activity, in this case, malicious internal and external scans for software vulnerabilities.
And there’s keeping up with and using all the indicators of compromise that can be found in professional digests and blogs, so you can block emails, domains, IP addresses that are associated with a ransomware campaign, Berglas said.
Hot and cold backup
If all else fails, and ransomware breaks through all of a company’s defenses, one safety measure remains: good backup. If a computer is effectively backed up, and that backup is not affected by ransomware, the infected computer can be shut down and a new instance of it booted up on a new piece of hardware.
But effective backup is not universal.
“We’ve come across a lot of companies that don’t back up properly,” Berglas said.
And systems used for real-time backup can also be infected by ransomware.
“When you have an aggressive strand of ransomware that rapidly moves throughout the environment and it’s going to seek out any type of connected infrastructure, if your backup is always hot, meaning it’s always connected, there’s a potential that you could turn your systems on Monday morning and find that your backup is encrypted as well,” Berglas said. “Organizations that practice cold backup and disconnect the backup at certain times from the corporate network will be safer in situations like this.”