Cyber insurance providers are always looking for that litmus test on how to judge if an organization seeking insurance is serious about their security program. I am going to say it bluntly — if an organization had significant business impact due to the WannaCry Ransomware operation, they were negligent in conducting security operations. This Microsoft flaw was big news back in March when the Shadow Brokers leaked the alleged stolen nation-state actor tools that took advantage of this flaw. This Microsoft flaw affected just about every operating system to include both user workstations and servers. Microsoft informed the world that this was a critical flaw and should be patched as soon as possible.
Fast forward three months later — we now have potentially more than 200,000 infected hosts in more than 150 countries.
What happened? Were people just not listening?
As I look at the media coverge, a lot of the dire predictions and headlines read something along the lines of: “The World has been Hacked.” Let’s step back from the hysteria and dissect what really happened late last week.
First, I was surprised that it took a threat actor more than three months to weaponize this flaw. Normally when zero day flaws are released in the wild, it only takes about 48 hours before we see threat actors using it to exploit systems. I was grateful that we had this extended amount of time to get our systems patched and also ensure we scanned our customer environments to see if they were vulnerable.
Why was this WannaCry campaign so successful?
Two root causes can be attributed to the success of this campaign. Both are a reflection of an organization’s commitment to cyber security.
- Many companies don’t run a good patching program to ensure their systems are updated with the latest fixes for security flaws. It can take a company anywhere from 90-days to more than a year to patch critical vulnerabilities like the one leveraged for WannaCry. When you look back at some of the biggest data breaches over the last five years, almost all of them involved vulnerabilities that were more than a year old when the company was breached.
- Organizations are making the conscious decision to not make the investment to update unsupported software. According to most reports, a great majority of the WannaCry victims are using Windows XP, which has been an unsupported operating system for three plus years. This means Microsoft was not obligated to provide a security patch for these systems. After the outbreak hit late last week, Microsoft stepped up to provide a patch now for unsupported systems. Having unsupported software in your environment will make you non-compliant with many auditing standards, such as PCI and HIPAA, which is why many major US companies weren’t affected by the outbreak.
Both root causes, poor patching programs and allowing unsupported software in corporate environments, are indicators of a poor cyber security program.
The sad state of cyber security readiness
In short, WannaCry demonstrates the vulnerability of systems and how in relative short order, this infrastructure can be compromised on an unprecedented global scale with the headlines to show for it. It also shows the critical importance of establishing a diligent patching program to thwart these attacks. The world knew something like WannaCry could be coming months ago and software companies addressed the issue with a viable patch. The onus was then on organizations to utilize the resources to keep their infrastructure safe. Which, unfortunately didn’t happen in many cases.
So, for those looking for the litmus test of a cyber readiness of an organization, there’s an ideal example with WannaCry, and it does make me “want to cry” at the sad state of our global cyber security readiness.