It’s a dangerous world out there. Whether it’s criminals looking for someone to shake down for cash or nation states looking to further their own agendas, motivated and capable people are constantly knocking on doors looking for a way in. And even though the WannaCry malware doesn’t have the sophistication of many of its peers, it’s rapid spread has been a wake-up call for the internet.
Everyone knows ransomware is bad news. Bad news that we hope to avoid by training our users to detect phishing attempts. But in this case, there is evidence that email was not a significant infection vector. Rather, the use of Eternalblue, an SMB exploit leaked from the cache of hacking tools stolen from the NSA and released publicly a few months ago, made this a bad day even for people careful about phishing links.
Many people have objected to the fact that the NSA had reserved their knowledge of the SMB vulnerability for their own use until it was stolen from them. The reasoning being that, had the NSA reported the issue to Microsoft when they found it, Microsoft would have patched the problem and the events of the past few days would not have transpired. And that would be a comforting idea if not for a few inconvenient facts.Exploiting flaws in unsupported versions of software is very fruitful.Click To Tweet
First, Microsoft released patches for all supported operating systems in March. Two months before the outbreak of WannaCry.
Reports indicate that the malware was particularly effective against machines running Windows XP – which is no longer supported. Microsoft stopped shipping security fixes for Windows XP in April 2014. Three years ago. The countdown to the end of support began long before that. Which brings us to the second inconvenient fact: there are still enormous numbers of machines running Windows XP.
Why is that? It’s that way because most computers run with hardware and software created by many different vendors. The interactions between them are complex. The number of different combinations of products is nearly infinite. Which makes comprehensive testing of changes practically impossible. And often, IT teams must decide whether to accept the risk of running outdated software or break mission critical systems.
The third inconvenient truth is this: responsibly disclosing vulnerabilities and creating patches are just the beginning of the solution. Without the processes and resources, to regularly apply system updates and to deal with the things that break – before it’s an emergency – simply accepting the risk of running unsupported software will frequently remain more palatable than the alternative.
So what can you do to protect yourself?
- 1. Update the systems in your network running unsupported software wherever possible
- 2. Review your Bring Your Own Device practices to minimize exposure to infected devices
- 3. Continue teaching your users to identify and avoid phishing attacks, and
- 4. Make sure you have a well-tested disaster recovery plan
Dave Farrow is the Senior Director of Information Security for Barracuda. Connect with him on LinkedIn here.