Fault for ransomware attacks lies with challenges security teams face

Fault for ransomware attacks lies with challenges security teams faceThe latest ransomware attack which affected thousands of victims around the world brings a strong sense of déjà vu. The malware is different from the one used by WannaCry back in May, and the criminal group responsible is different, but the advice for dealing with the infection outbreak remains the same: Patch vulnerable systems, don’t pay the ransom, and restore from backups.

The new ransomware--Kaspersky Lab named it ExPetr after determining it was not a variant of the Petya malware—involved several vectors of compromise, including EternalBlue and EternalRomance, exploits ostensibly developed by the United States National Security Agency. EternalBlue, a Windows-based SMBv1 exploit, was also used in WannaCry back in May.

Unlike WannaCry, ExPetr appears to spread over local networks and not the Internet, but ExPetr encrypts the Master Boot Record, which is far more damaging than just encrypting individual files. ExPetr may be a new attack, but there is nothing new in terms of what it does. It exploits several known vulnerabilities, spreads via a protocol that shouldn’t be exposed to the Internet, and abuses an existing operating system utility (PsExec).

What’s also familiar is the finger-pointing and the blaming. Security experts took to blogs, social media and email to pontificate:

  • This attack was yet another example of organizations not taking security as seriously as they should.
  • These attacks could have easily been avoided if organizations had their systems patched properly and implemented a defense-in-depth approach to securing their networks.
  • WannaCry should have been the wake-up call, but the fact that the new ransomware spread around the world so rapidly showed that there are still plenty of organizations and users who have yet to apply the MS17-010 patch released by Microsoft back in March.
  • SMBv1 is old—there is no reason for the port to be open to the Internet. Neglecting security—in terms of investment, time, or priority—is irresponsible.

And the list goes on and on.

Stop. Scolding doesn’t help.

IT and operations are fully aware that core IT and security fundamentals, such as patch management, regular backups, disaster recovery and business continuity, and incident response, are critical to protecting their networks and users from damaging attacks. Acting like they are irresponsible or incompetent for being behind on patching is unhelpful and ignores the challenges they and their beleaguered security colleagues face. It’s undisputed reality that vulnerable systems are running software that is out of support, out of date, or just unpatched. This is not a surprise to anyone—or it shouldn’t be—in security.

“What always seems to take some by surprise, however, is that no matter how much we talk about patching as the solution, it doesn’t happen in many cases,” said Wendy Nather, principal security strategist at Duo Security. “It’s almost as if talking about the problem and ‘raising awareness’ isn’t enough to actually solve it.”

Don’t assume negligence. Understand the challenges.

If the system isn’t under your control, you can’t update it

It’s easy to say that all systems should be patched regularly, but it overlooks a key issue: IT doesn’t always have access to the systems on its networks. When patching systems can void the warranty or license terms, then staying on top of updates for those systems is not an option. Or consider what happens at manufacturing plants, where PCs connected to machinery may be considered part of the machinery and not under IT control. Shop floor management doesn't want IT messing with equipment but IT has to consider security and continued compatibility with other systems.

“The issue is widespread, especially among organizations below the security poverty line, but it applies just as much to financial trading terminals and banks as it does to the network run by a centralized higher education system,” Nather said.