Yesterday the news rapidly filled up with reports on a ‘massive cyberattack’, as I’m in the UK the press coverage was focused on the NHS and initially was full of comments about ‘smart’ hackers. This reporting is, in my opinion, giving these organizations an excuse for their negligence. The reporting often implies the attack is some kind of ‘act of god’ that they could not avoid, in this case it was trivial to avoid it, simply don’t connect out of date systems to the internet.
I did write an article recently pointing out the role of luck in cyber security, but there is also plenty of room for negligence. If we analyse this attack we find
- The malware is a ransomware - which as a family are regulaly updated to expliot new known security flaws, mainly in common software such as windows
- On 12th May at 01:24 AM Malwarehunterteam first spotted this new malware
- The malware is spreading via a known Windows exploit patched on 14th March 2017
- This exploit is part of the leaked ‘shadowbrokers’ tools, that (alledgely) the NSA had been hoarding and not reporting to vendors
- The NHS in the UK appear to have been particually badly effected as they are running a lot of Windows XP, which has been out of support since April 2014. This deadline was extremly well publicised - and any organisation still running any windows XP PC, on a internet connected network is negligent
- The worm spread very quickly - NY Times has a good map - showing quite how many unpatched systems there are
If we analyse these issues in a bit more detail we find a tale of negligance..
Ransomware is becomming a modern plague, for many years it was hard to hackers to monetize hacking. They could occaisionally break into systems like banks or payment gateways and directly extract money, but it was difficult, and even more difficult to get away with the cash. Ransomware solved this, by using exploits to break into consumers PC’s (their primary target), they get lots of small amounts of pretty near untracable money. This is a very profitable business - estimates up to $1 billion dollars have been made.
There are a few fixes to ransomware that could happen
- Fix all the vulnerabilities - However this is difficult and unlikely to happen, computers are complex and it’s probably not within our power to fix this.
- Stop the money flow - If people stopped paying then ransomware would not pay, however if you’ve just lost your photo’s to it, it’s going to be very tempting to pay. I would advocate making it extremely hard for them to be paid, for example you could ‘taint’ any bitcoin balance paid to an ransomware address, and ban any finance company handling it. Or you could make it illegal to pay a bounty - (it already is in some countries).
Paying ransomware is a bit like over using anti-biotics - it’s bad for humanity as a whole and has to stop!
Patching is not optional, it hasn’t been optional for 15 years, yet as this incident demonstrates the message has still not got out. Microsoft introduced automatic updates in 2000, anyone caught out by not patching since then is simply negligent.
One of the main causes of this issue is IT teams choosing not to patch, either by delaying it or stopping it entirely. This is ususally defended as an argument about compatibility. It’s true that some security updates have broken applications, but this is a case where the ‘cure is worse than the disease’. If you have system, that is all important to you, you cannot let is go unpatched. The ‘standard’ process of reviewing patches is harmful - hackers won’t wait for your IT team to get round to reviewing them and installing them. As soon as a vulnerability is known they will start adding to their ransomware. The only viable option is automatic updates.
Windows XP and ‘legacy’ systems
The NHS example with Windows XP is almost certainly down to money, the NHS as we all know is tight on resources and as a result will be ‘sweating’ old assets. This is once again simply negligence - I would not be surprised if all the delays and choas caused by this attack have killed or harmed patients - that will probably come out over next few days. It’s a false economy to keep running old systems, still connected to the internet. The cost in staff time/impact now will vastly exceed the cost of upgrading them. The managers who decided to make these decisions should be held accountable.
There is a serious argument to be made, that is any computer system is at all important to you, you cannot afford to let it fall into ‘legacy’ state. If you do you can guarentee at some point it will fail and stop your hospital or business. This also raises serious questions of negligence - the new GDPR regulations and the assoicated fines should focus peoples attention - just because something is legacy does not get you off the hook!
There has been a lot of commentary on the NSA exploits - but this is a fine proof point for why the government, or anyone having a ‘back door’ is a bad idea. It’s blind luck in this case that patching actually prevents the ransomware, in this case the shadowbrokers leak gave Microsoft the chance to fix it before it became a major issue. However it could easily have been far worse, if the ransomware had appeared before the patch every windows PC would have been vulnerable and this would have been far far worse.
What have we learnt? A tale of negligence
I think the main lessons to learn from this are
- Patching is not and has never been optional - if you don’t patch you are simply negligent
- If you have a system that’s important to you, your customers (or patients) you can’t declare it ‘legacy’ and ignore it - if you do you are negligent
- If you find a vulnerability (looking at you - NSA) and you don’t tell the vendor - you are negligent
- If you pay a ransomware vulnerability - you are encouraging this behaviour and you should be culpable
The argument that your limited budgets won’t pay to secure you computers really doesn’t work, if an organisation can’t afford to use computer systems in a safe way, you can’t afford the computer system at all. The organisation would be better off sticking to lower tech methods as the impact of these attacks is going to cost a huge sum in lost staff time and direct costs.