The Lessons of WannaCry Attack

We asked security experts what organizations can do to lower the risks posed by these threats.

istock 68562021 large

On May 12, what experts are calling “the largest ransomware infection in history”[1] was launched against more than 200,000 computer targets in 150 countries. Called “WannaCry,” the hack cast a harsh light on the growing threat of ransomware, and that of Distributed Denial of Service (DDoS) attacks in general. In global research that was released by Neustar, ransomware experienced in concert with DDoS attacks have increased 53% from 2016.

We asked security experts what organizations can do to lower the risks posed by these threats.

We know a lot about security: What the best practices are, where our vulnerabilities lie, how damaging an attack can be, but successful risk management depends on more than knowledge, for a couple of reasons. First, knowing what to do and actually doing it are two separate things. And second, we just don’t know where and when the next attack will happen, much less the constant evolving of attacker methods and tactics.

Experts we consulted pointed to three keys for DDoS risk mitigation: updates, an overall defense strategy, and education.

Stay Up-to-Date

Everyone knows they should keep systems updated. And yet failing to keep up with a basic security best practices — patch and system updates — played a huge role in the WannaCry attack.  WannaCry takes advantage of the Windows exploit known as Eternal Blue, which exploits a vulnerability in Windows operating systems. And in some cases, like that of Windows XP, official support and patching ended three years ago. But millions of machines around the world are still running XP.

First off, some, like George Gerchow, VP of security and compliance for Sumo Logic, expressed disbelief “that patching is still an issue in 2017.”

“Organizations must push all critical security patches within 24 hours - no excuses. This is the DevSecOps advantage of baking security into your DNA.”

“As WannaCry exhibited, the patching of computers is critical in keeping up to date with security fixes,” says Chris Rouland, founder of Phosphorus.  “We have not seen a worm with lateral network movement like WannaCry for some time, and it was due to a massive vulnerable population that was exploited.”

Wayne Sadin, CIO at Affinitas Life, points out protection goes beyond the operating system. “Preventing intrusions starts with keeping critical network components up to date: apply patches quickly and don't run obsolete (i.e. unsupported) hardware or software. Technical Debt creates inestimable risks as threats evolve.”

Adds Paul Teich, Principal Analyst at TIRIAS Research, “Ransomware preys on known security exploits, so make sure all patches are up to date. If you rely on older apps, then think about modernizing, the threat environment is only going to get worse.”

Education and Backup are Critical

Having a solid plan – and making sure end-users know and abide by it – is critical. And backup is a key here. “The best ways to mitigate against a ransomware attack is to have an effective backup plan in place, in addition to having an awareness plan in place to train end-users,” urges Ben Rothke, Principal Security Consultant at Nettitude Group. 

Joseph Steinberg, CEO at SecureMySocial, expands on the backup aspect. “Make sure that you both 1. backup frequently to backups that are physically and logically disconnected from the source they are protecting, and 2. train and encourage your employees to practice good cybersecurity hygiene.”

Al lot of end-user advice hinges on common sense. Raluca Ada Popa, computer security professor at UC Berkeley, points out that “One cannot fully protect against such ransomware attacks, but common-sense practices such as not downloading suspicious attachments, always installing security and system updates right away for your systems and applications, using anti-malware software, and choosing strong passwords, can go a long way.”

Brian Thomas, Chief Information Officer at Swope Health Services, agrees with the end-user education, and takes things a step further. “Like anything, planning and preparation are key to minimizing exposure to a threat,” he says. “You need to have a multi-layered strategy that includes endpoint protection, intrusion prevention/detection, end-user and social engineering training.” And he adds, “Artificial Intelligence must absolutely be part of that strategy.”

Automation and Other Best Practices

AI, automation, and centralized security management can amplify prevention efforts, and play key roles in a world that extends far beyond the firewall. “Network security is broader than ever with many companies extending to endpoints around the world in homes and offices, interfacing with applications both on premise and in the cloud,” says

Eric Vanderburg, security and technology thought leader, consultant and author.

“Network security, therefore, must extend to the endpoints as well as cloud and traditional services, scanning these nodes for malware, assessing vulnerabilities, implementing data loss prevention, and organizational policies wherever they are and connect them to centrally managed security tools equipped with anomaly detection, event correlation, and alerting.”  

Give her title, it’s not surprising that Allison Cramer, Director of Solutions Marketing, Security and Automation at BMC, sees a big role for taking things out of manual mode.

“While WannaCry is the latest example that everyone is focused on, without a strategy for automated patching and prevention, enterprises are bound to be impacted by this type of attack (and others) again in the near future,” says Cramer. “Enterprises should adopt three best practices to secure their networks: research the most current published policies to make network environments more resistant to attacks; use automated audit, analysis and remediation instead of manual processes to combat automated replication techniques like WannaCry; and maintain consistent, programmatic proactive regimens for effective vulnerability management.”

Mathias Payer, Assistant Professor of System Security at Purdue University, adds another tactic: “Enforce strong two-way security policies for Internet access ‑ data going in and going out — by, filtering emails, restricting web access, and blocking other traffic.” 

Looking Ahead, and The Basics Rules Apply

With cloud adoption far past the tipping point, many security leaders have had to extend their perspective into that dynamic world. “We see the next generation of threats targeting cloud services now that companies have the confidence to move their sensitive business information to the cloud,” says Kaushik Narayan, CTO at Skyhigh Networks. “Although 62.9 percent of IT professionals think the cloud is more secure than their own datacenter environments, the existing legacy security perimeter does not extend to the cloud. We anticipate companies moving from a prevention to a protection model, treating data as the new perimeter.”

When it comes to DDoS, preventing and protecting starts with the basics.

“It boils down to basic security steps, most importantly keeping your products up to date, including operating systems, anti-virus and others,” says James Townsend

president at InfoStrat. 

“There are no silver bullets to prevent DDoS and malware attacks. Education and best cybersecurity practices remain the best (and only) prevention methods,” adds Scott Schober, “Hacked Again” author and cybersecurity expert. “Users must always run supported OS's with latest security patches and change router passwords from the default to something unique so botnets can’t take over the device.”

Avoiding the whack-a-mole syndrome is key as well. “The best way to combat ransomware is through the typical defense in depth strategies. Security awareness training involving in-depth sections on phishing and social engineering would have increased the chance of preventing WannaCry,” says Tiffany Rad, CEO of Anatrope, Inc.

“Applying patches in a timely fashion would have prevented it from spreading. Proper network segmentation and segregation would minimize how far it could spread, in the event that it spread through a zero-day exploit. The focus really needs to be holistic since doing any one of these three things could have lessened the damage in this particular example.”


Copyright © 2017 IDG Communications, Inc.