By Georgios Liassas, CSIRT Service Architect at NNIT
Security practice is shifting from prevention to detection. Wannacry proves that detection can be straightforward. Prevention, however, would have saved millions of dollars in downtime, restoration efforts and damaged reputation. Therefore, before the next WannaCry campaign occurs, take action based on your lessons learnt, review your procedures, and rethink a balanced approach between prevention and detection.
The WannaCry campaign was widespread and significant but it was not the first ransomware incident and it will certainly not be the last. In 2008, the Conficker malware exposed the same self-propagating capabilities taking advantage of a Windows SMB vulnerability. More than 3 million computers in 190 countries got infected, according to estimates.
So what did we learn from 2008? Not much, considering the turmoil that WannaCry has just caused.
Instead of focusing on this WannaCry campaign and other single events, let us instead take a look at the bigger picture.
The root cause of the WannaCry proliferation was a vulnerability (CVE-2017-0145), for which Microsoft had issued the MS17-010 patch in March 2017. The vulnerability was rated as critical and readily exploitable. Two months later many organizations had still not applied the patch. With a strong Patch Management procedure in place (we discussed it in a previous article here), the organizations would have identified and prioritized the implementation of such a critical patch wherever possible and in good time. Compensating controls could have been applied to systems where the patching had not been possible.
Since the first WannaCry security incidents started making headlines, organizations have struggled to identify vulnerable systems in their networks and make rapid decisions for remediation. Could this have been done faster, more efficient and better? Having strong Asset & Configuration Management procedures will significantly help you make the right decisions under pressure.
Security controls can fail and holes in the networks will eventually allow malware to find its way into a corporate network. Should a Security Incident strike, organizations need to have well-documented Security Incident Management & Response procedures. In case of an emergency situation organizations must have the capacity to identify, contain, eradicate the threats, and restore affected systems and business operations