Skip Ribbon Commands
Skip to main content

Till the next WannaCry campaign

​​​​

By ​Georgios Liassas, CSIRT Service Architect at NNIT​

​Security practice is shifting from prevention to detection. Wannacry proves that detection can be straightforward. Prevention, however, would have saved millions of dollars in downtime, restoration efforts and damaged reputation. Therefore, before the next WannaCry campaign occurs, take action based on your lessons learnt, review your procedures, and rethink a balanced approach between prevention and detection.

The WannaCry campaign was widespread and significant but it was not the first ransomware incident and it will certainly not be the last. In 2008, the Conficker malware exposed the same self-propagating capabilities taking advantage of a Windows SMB vulnerability. More than 3 million computers in 190 countries got infected, according to estimates.

So what did we learn from 2008? Not much, considering the turmoil that WannaCry has just caused.

Instead of focusing on this WannaCry campaign and other single events, let us instead take a look at the bigger picture.

The root cause of the WannaCry proliferation was a vulnerability (CVE-2017-0145), for which Microsoft had issued the MS17-010 patch in March 2017. The vulnerability was rated as critical and readily exploitable. Two months later many organizations had still not applied the patch. With a strong Patch Management procedure in place (we discussed it in a previous article here), the organizations would have identified and prioritized the implementation of such a critical patch wherever possible and in good time. Compensating controls could have been applied to systems where the patching had not been possible.

Since the first WannaCry security incidents started making headlines, organizations have struggled to identify vulnerable systems in their networks and make rapid decisions for remediation. Could this have been done faster, more efficient and better? Having strong Asset & Configuration Management procedures will significantly help you make the right decisions under pressure.

Security controls can fail and holes in the networks will eventually allow malware to find its way into a corporate network. Should a Security Incident strike, organizations need to have well-documented Security Incident Management & Response procedures. In case of an emergency situation organizations must have the capacity to identify, contain, eradicate the threats, and restore affected systems and business operations 

 

About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at itmanagement@nnit.com if you want to know more about how NNIT can help your business increase its information security level.​​