• United States




Nothing new to (Wanna)Cry about

May 31, 20176 mins

Examining how the recent ransomware strain is similar to past attacks, and why changes to regulations and business models are impacting the future of cybersecurity.

The WannaCry outbreak has been troubling in many regards – exposing flaws, and opening doors to much finger-pointing and blaming that have gone well beyond the handling and disclosure of nation-state cyber weapon stockpiling.

The attackers likely had a good idea of how quickly and widely the attack would spread, evidenced by the fact that their ransom demand was created in 28 languages, suggesting that they had very high expectations of the success of their attack.

WannaCry targeted Microsoft systems that were not running the latest patches, and older versions of Windows such as Windows XP, which is still widely deployed in the NHS despite being 16 years old and no longer supported by Microsoft, except under custom contracts.

Perhaps, what this attack has illustrated most clearly is the continued and widespread lack of security management and basic security hygiene practices in many organisations such as:

  1. Upgrading systems
  2. Patching systems
  3. Maintaining support contracts for out of date operating systems
  4. Architecting infrastructure to be more secure
  5. Acquiring and implementing additional security tools

For many security professionals that have been in the industry for any length of time, this may feel like Groundhog Day. After all, the WannaCry attack is actually not very different from historic widespread attacks such as Code Red, ILOVEYOU, SQL Slammer, and other worms which self-propagated and infected large numbers of machines.

Simple yet difficult

The unfortunate reality is that while any of the defensive measures above could have prevented or minimized this attack, none of them are easy for many enterprises to implement. It’s akin to my doctor telling me to cut out junk food and increase my exercise – simple in theory, but much more difficult to actually follow consistently.

Many factors contribute to this situation. Sometimes the infrastructure or endpoint devices aren’t all controlled by IT. Also, patching or updating a system can sometimes lead to other dependent applications breaking or having other issues. For example, it might be the case that an operating system can’t be updated until another vendor updates their software, which in turn can’t be updated until an in-house custom application is updated, and so on.

There are many other technical nuances as well, but it all boils down to basic risk management. Often times, if systems are working as desired with no issues, then they will generally be allowed to continue to run as such, especially when the costs of such upgrades are taxpayer expenses.

However, this is not to say that basic security measures shouldn’t be implemented. In an ideal world, it would be good to see no legacy systems, regular patching, and securely architected infrastructure in all environments. Unfortunately, that is the exception for most companies, not the rule. So while its easy to simply say that the government should have put more money into systems, it’s more the case that the senior decision-makers and purse string holders need to understand the exposure they run, the pros and cons, and the potential impact. 

Increasing regulation

One way that has proven effective in raising the security bar has been through regulatory compliance requirements. Australia is notable for its success in enforcing higher than average security across government. Government agencies are mandated to enforce four technical controls: application whitelisting, application patching, operating system patching, and minimizing administrative privileges.

An attack like WannaCry could have been prevented if organisations applied the first two controls of application whitelisting and regular patching. However, enforcing such controls on legacy systems requires a significant investment in personnel.

So, is the answer to increase legislation to ban critical organisations from running legacy systems? While such a radical approach might be needed to jolt organisations into action, this tactic could also be perceived as an overly aggressive approach that doesn’t take into considerations some of the restrictions or business complexities discussed earlier.

Changing business models

An oft overlooked fact is that business dynamics and models are changing. For example, from an attacker’s perspective, demanding bitcoin helps make ransomware more profitable, but it also effectively helps preserve anonymity – eliminating the risk and need for midnight rendezvous in underground car parks to exchange a decryption key for a briefcase of untraceable, used $5 bills.

However, the business side of things probably plays a larger part in security than it might initially appear. This situation is much like the risk assessment explained in the movie Fight Club, where the narrator states that if the cost of recalling a faulty car is more than the average out of court settlement times the likely number of incidents, then they won’t do it.

While some may say that this a cynical view, it is possible that the cost of recovering from WannaCry, despite the huge inconvenience, is still cheaper than having to go through a lengthy and somewhat expensive upgrade process.

So, the big question that needs to be answered is whether it’s time for a radical shift in how businesses operate, procure, and maintain software. Vendors like Microsoft want to keep their applications and operating systems updated and fully patched. On the other hand, enterprises want their apps and operating systems to remain stable and usable, and not incur huge migration costs every few years.

But maybe the answer to this isn’t so radical at all. Cloud computing, and SaaS in particular, ticks the boxes that meet the needs of both vendors and enterprises. That’s not to say cloud computing doesn’t come with its own unique set of challenges and risks; but in the long run, a cloud model could be exactly what companies need to maintain a consistent base level of security. Vendors keep their cloud apps and OS’s fully patched and up to date at all times, minimizing the likelihood of attacks leveraging existing vulnerabilities materializing.

Capital expenditure is also removed with the cloud. Companies don’t incur large one-off costs up front to install or upgrade these systems, and the cost of security is rolled into the overall subscription cost.

The success of WannaCry can’t be pinned completely on failings in technology or organisational processes. Rather, the outbreak illustrates that attacks like WannaCry will remain successful as long as enterprises cling onto outdated technology business models.


Javvad Malik is an award-winning information security consultant, author, researcher, analyst, advocate, blogger and YouTuber. He currently serves as a security advocate at AlienVault.

An active blogger, event speaker and industry commentator, Javvad is known as one of the industry’s most prolific influencers, with a signature fresh and light-hearted perspective on security.

Prior to joining AlienVault, he was a senior analyst with 451 Research providing technology vendors, investors and end users with strategic advisory services, including competitive research and go-to-market positioning. Prior to that, Javvad served as an independent security consultant, with a career spanning 12+ years working for some of the largest companies across the financial and energy sectors.

Javvad is an author and co-author of several books, including The CISSP Companion Handbook: A Collection of Tales, Experiences and Straight Up Fabrications Fitted Into the 10 CISSP Domains of Information Security and The Cloud Security Rules: Technology is Your Friend. And Enemy. A Book About Ruling the Cloud. He’s also the founder of the Security B-Sides London conference and a co-founder of Host Unknown with Thom Langford and Andrew Agnés.

Javvad has earned several professional certifications over the course of his career, including Certified Information Security Systems Professional (CISSP) and GIAC Web Application Penetration Tester (GWAPT). He’s also won numerous awards in recent years for his blogging, including the "2015 Most Entertaining Blog" and the "2015 Best Security Video Blogger" recognitions at the European Security Blogger Awards.

The opinions expressed in this blog are those of Javvad Malik and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.