Following the news that the suspicious emails / phishing is unlikely to be cause of the global, WannaCry cyber attack, IT security experts from Corero Network Security, Nexsan, Commvault, FalconStor, Alert Logic, Tenable Network Security, Cylance, Autotask and CTERA are commented below.
Stephanie Weagle, VP at Corero:
“While it is yet to be confirmed if there is a link between this ransomware attack and a DDoS attack, it is known that a DDoS attack is often a pre-cursor to a ransomware attack. Rather than launching large, volumetric attacks that cripple a website, hackers launch small, stealthy “smokescreen” attacks that are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware. Often the attacks are so small that they go unnoticed by IT security staff or legacy DDoS protection systems.
“Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for ransomware attacks or other more serious intrusions. To keep up with the growing sophistication and organization of well-equipped and well-funded threat actors, it’s essential that organizations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise.”
Gary Watson, Founder and VP of Technical Engagement at Nexsan:
“Ransomware attacks will continue to occur more frequently as it is a highly lucrative business. The recent NHS cyber-attack is a prime example of how vulnerable organisations are. Even with careful IT departments and precautions in place, anti-malware products are not infallible. The NHS will either be forced to pay the ransom or continue business operations without the use of computers, that hold vital patient data, or phone lines. Ensuing patient care is crucial and the NHS needs to be prepared so they continue to run a fully operational service. As this trend increases, it will become even more critical that organisations arm themselves with a second line of defence that protects data from corruption and deletion, minimising the impact of malicious cyber-attacks such as this.”
John Gladstone, EMEA Healthcare Practice Lead at Commvault:
“To get back up and running depends on the individual trust and the systems they have in place. Most hospitals run around 300 to 350 applications but do not have a central platform to manage them. Most hospital IT depts control a majority, (but very rarely all) of the data management requirements of these applications. The other applications not controlled directly by IT have to be manually checked and backed up randomly. It is therefore easy to see how the attack took hold and spread very quickly. Turning off the systems was some Trusts only option. The challenge is that without the right budgets or resources very few make back-up or cyber security a priority and therefore with disparate systems they will potentially be struggling to get operational again quickly. Once the immediate threat of malware infection spread is neutralised, those that have got a single platform, universally consistent back up solution in place will probably only take a few hours to cleanse their systems and get at least 60% up and running quickly. But if not it could take some Trusts several days or even a week to get back up and running, even then for some a lot of uncentralised data might be lost for good.”
Gary Quinn, President & CEO at FalconStor:
“Ransomware attacks can have severe consequences, as the NHS, and many other organisations, have experienced over last few days. The threat of another is imminent, it’s clear the WannaCry attacks are having a huge impact globally. Now, more than ever, organisations and public sector authorities will sit up and realise the importance of protecting data against similar threats. As well as training staff not to click suspicious looking links, organisations need to deploy a disaster recovery solution and quickly. Once the malware infection is neutralised, the fastest way to recover from these attacks is to use a system-level snapshot of the system that allows near-instantaneous “rollback” of the system to a reasonable time prior to the attack. Older traditional systems only take one backup a week, or at best, once a day. It is important that new systems are implemented that will take multiple snapshots a day and allow 5-10-minute recovery of systems dramatically reducing the attacker’s impact to business.”
Misha Govshteyn, Founder and SVP at Alert Logic:
“This is a classic game of news spin from all parties involved, but the GCHQ position is especially rich in alternative facts.
Governments provide a mandate to our intelligence agencies to find and exploit security flaws. There is no reasonable argument that these flaws should be made public, as that would defeat the purpose of funding their discovery. The Intelligence Community is naturally motivated to keep these flaws secret as long as possible (though they failed in this regard).
It’s equally unreasonable to criticise Microsoft for not supporting older versions of Windows longer. Doing so would not have altered this outcome, and WannaCry would be spreading as quickly as it is now. Fact is, supported or not, Microsoft issued a patch relatively quickly. Microsoft correctly determined that in this circumstance they need to support resolving this problem.
There are really only two guilty parties here:
- NSA for failing to safeguard their code. These tools should have never been stolen and made public.
- Companies who negligently operate on old, unsupported versions of software and refuse to deploy patches when they are made available. This is a specially true of healthcare organisations.
If the NSA really wanted to be responsible, they would have contacted technology vendors shortly after they realised their toolkits were stolen. Doing so would have given technology companies more time to respond and consumers more time to patch.
Instead, NSA chose to play the game of chicken with Shadow Brokers and allowed, of all people, Julian Assange to be the disclosing party. This is the least defensible decision in this whole saga.”
Gavin Millard, EMEA Technical Director at Tenable Network Security:
“Microsoft have made huge strides in the last few years to improve the security of their ubiquitous operating systems, but code is rarely perfect and flaws will always find a way into the millions of line of instructions required in a complex operating system.
Instead of trying to attribute blame, it would be far more productive to consider what could have been done to reduce the spread of an aggressive piece of ransomware like Wannacry. Organisations have to improve visibility into their complex environments to discover where weaknesses reside and have robust and rapid approaches to addressing these flaws before they are weaponised by the next ransomware author, eager to turn tardy patching into profit.”
Malcolm Harkins, Chief Security and Trust Officer at Cylance:
“I wouldn’t criticise NSA or GCHQ … I do think, however, that this brings up the question of cyber vulnerabilities equities processes, and what “calculus” is used, and how, by a nation state to determine when the public is best served in working with the industry to close a found vulnerability or keep it for nations state purposes … more transparency/illumination there from all nation states would be good (since they all are involved in both cyber offensive as well as defensive efforts).
In terms of end of life support (hardware and SW), both have EOL for support. From an economics perspective, it is cost prohibitive to support something forever, so every organisation needs to stop support at some point in time to manage operating expenses. This is true for every organisation including Microsoft and anyone else. For example, you can’t drive a model T in to a Ford dealership to get it fixed … you do it yourself or find “speciality” service providers who can work to try to service it. This is also a point where we can discuss other mitigation, such as isolation/segmentation of those systems in to a different “zone”.
In terms of GCHQ, or any other nation state agency “storing” exploits. We have seen with the Shadow Brokers, or even Snowden, one of my irrefutable laws – #1 of which is information wants to be free – because people will post, share, talk. Though many nation states “store” these exploits in the logical equivalent of CDC biosafety levels, even there we see there are sometimes mistakes that can occur.
We probably need to have some sort of cyber Geneva conventions and cyber Geneva protocols to establish better norms that most nation states could agree to abide by.”
Mark Cattini, CEO at Autotask:
“Cybercrime is one of the biggest challenges society faces today. As the world becomes more digitized and dependent on connected systems and devices, the threat and potential impact is exponential as we just recently unfortunately witnessed. In some ways this is a wake-up call, and we should expect to see global attacks of this nature accelerate. The good news, is that the technology that is required to combat these threats exists today, threat detection and anti-virus, device and network monitoring and management tools and data back-up, although it’s a never-ending battle to stay current as the threats become more sophisticated. Importantly our partners have access to these solutions, but they must be easily deployable and managed such that they can quickly proactively protect their client’s critical information systems and data.”
Liran Eshel, CEO and Co-Founder at CTERA:
“The Wanna Cry attack shows how sophisticated ransomware has become, forcing even unaffected organizations rethink strategies for for countering ransomware. Organizations need to combat ransomware by minimizing attack exposures and enabling the rapid recovery attacked data and files. The onus is on organizations to stop the ransomware epidemic by building the right safeguards that eliminate enterprise vulnerabilities. Until that day comes, organizations need to be ready to catch and recover from some serious ransomware crypto-lock events. With the right file sync and backup procedures, even attacked organizations can minimize their recovery points to as little as five minutes while making a full recovery of encrypted data.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.