As I watched the news, I was struck by the inaccuracy of much of the initial coverage of the massive wave of ransomware attacks that surfaced on 12 May. Even my partner thought that the National Health Service (NHS) computers, as well as other targets around the world, were being intentionally targeted by a coordinated global cyberattack.
The truth was far worse. This was no more than an infection designed to take advantage of environments that failed to have even the most basic of cyber security protection in place.
This malware, known by various names including WannaCry and Wanna Decrypt0r, is understood to have originated from a leak of the US NSA cyber tools. However, the leak and the malware tools were widely known about. There were plenty of fixes available to prevent the malware from working.
To prevent this particular malware from operating, all organizations had to do was be running on a supported operating system that had applied the latest software updates. (The patch to prevent this malware from working had been released by Microsoft to their supported operating systems back in March).
Even if your computers were not patched, or were running an unsupported operating system, if your organization had selected a more effective anti-malware solution, that also would have been enough to prevent the malware from working.
Where the malware entered an unprotected computer on a network, it had the ability to then seek out other undefended computers on the same network. Almost like a red team identifying vulnerabilities, the malware highlighted organizations and computers that were running with unsupported operating systems, unpatched operating systems, wide open network topologies and less effective, or completely absent, anti-malware protection. One-by-one, the worst configured and maintained environments that received the malware started to experience substantial disruption.
The consequences of this event are devastating. The interruption has affected services that included the provision of healthcare services, and some healthcare staff have already alleged that this event is likely to have led to several unnecessary deaths due to many clinical services becoming temporarily unavailable. In fact, the ISACA publication on healthcare IT governance I had just finished drafting had included some statistics about how faulty technology in healthcare environments leads to hundreds of deaths and thousands of serious injuries each year, based just on the UK figures from the UK regulator MHRA (Medicines and Healthcare products Regulatory Authority – the UK equivalent of the US Food and Drug Administration).
So, will this event finally help cyber security practitioners that have failed to get buy-in from their management to make the changes they need? I hope so.
This event should be a wake-up call. The Internet is a dangerous place IF your computers and networks are not taking at least basic precautions.
For those executives who thought that because this type of event never used to happen, it never will, it is time for a rapid rethink while you still have an organization to protect.
Editor’s note: Raef Meeuwisse, CISM, CISA, is author of several cyber security publications, including “How to Keep Your Stuff Safe Online,” available at iTunes: https://itunes.apple.com/gb/book/how-to-keep-your-stuff-safe-online/id1212130763?mt=11&ign-mpt=uo%3D4
Raef Meeuwisse, CISM, CISA, Author, “Cybersecurity Exposed”
[ISACA Now Blog]