WannaCrypt: Roots, reasons and why scramble patching won’t save you now
I became a Solaris system administrator in the 1990s: first proper job out of university. I read a lot about the Morris Worm – believed to be the first of its type, and of interest to me because the Sun-3 kit I looked after was vulnerable.
Not long after, I was asked to take part in a radio interview about the “scary” new virus that was about to hit every corner of the known PC universe: Michelangelo Virus. I was what my advice for computer users was. Er, use antivirus software?
Here we are in 2017, and the world has gone mental as hundreds of thousands of PCs in some-cases-very-well-known organisations were hit by WannaCrypt – a piece of malware that propagates itself like the Morris worm and then encrypts whatever files it can find.
It would seem much of the world has failed to learn a damn thing despite none of this stuff – worms or the Windows flaw that it’s using to spread itself – being new.
There’s no reason why the malware protection on any corporate desktop PCs should be out of date. Microsoft supplies tools and services like WSUS, for example, which let you download updates once over your internet connection and then punt them out across the corporate network to your workstations and servers.
So why not just patch? What are you, some kind of idiot antivaxer?
The problem is that there’s a risk to installing any patch. We’ve all seen OS patches that cause the machine to crap itself, and deploying one of those to a few hundred workstations tends to make it a very bad day for the IT team.
So you need a regime of testing patches before approving them for deployment, and when you move from workstation patches to server updates it’s a greater pain because you may well need application downtime for core server updates.
Hence you’re into maintenance windows, and “system maintenance” pages on customer-facing websites, and the fear that if you have too many of those the customers will bugger off and buy from someone whose site is actually up.
The result? On a good day, a regime that deploys patches effectively, albeit a few days after they’re released, by weighing the risk of a problem and the impact of a reboot-after-installation against the potential for a long week spent rebuilding systems, apologising to customers and being whipped by the Information Commissioner because you got infected or hacked via a known vulnerability.
When it comes to WannaCrypt, Microsoft released the fix in March. But try explaining that to the CIO or hospital administrator now on the receiving end of a high-octane grilling.
All of this brings us to the next concept, which is far harder and more expensive than keeping your system patches up to date: maintaining supported versions of your operating systems and apps. The big deal with the NHS was not necessarily that they were clobbered with ransomware, but that they were still running Windows XP that has been out of support since April 2014 – by which time it was 12 years into its existence. Anyone running Windows XP in a commercial setup can’t have been unaware of the risks of an unsupported, unpatched operating system.
There’s only one reason that you might choose not to upgrade in good time to the new, properly supported version: cost.
In the case of the NHS, the claims have frequently related to so-called “compatibility” rather than cost, and this is understandable. Problem is that a lot of these claims are just cost by another name: the 10-year-old X-ray machine is powered by a Windows XP machine and the software just won’t run on anything else, but the only solution would be to replace the buggy old heap with something new – and that’s expensive.
Bring me the head of the risk committee’s head
I do feel a pang of something for the NHS. Not because they did anything right (they didn’t) but because they happened to be the ones unlucky enough to get hit.
Plenty of organisations employ legacy kit but my particular pang is caused in part by the lack of any finger pointing at the right people. We’ve berated the government for not giving the NHS enough money. We’ve berated the NHS IT guys for not patching and for sticking with arcane and obsolete systems for way too long.
But why the hell have we not called for the heads of the NHS trusts’ risk committees? Upgrading obsolete systems is as much a risk decision as it is a technical one.
Risk committees are there for a two reasons – to identify and remediate risks. For each risk you identify in your organisation you have four choices: treat it (fix the problem), tolerate it (accept it as it is), terminate it (decommission the system that’s the source of the risk), or transfer it (insure against it). Often, you’ll end up with a combination of treat/tolerate: fix what you can for an affordable price, and tolerate the residual risk (maybe with a bit of insurance thrown in for good measure).
My fiver says there was no need for so many NHS PCs still to be running Windows XP. Yes, there will have been stuff like my made-up X-ray machine example that you can’t upgrade economically, but if all that Windows XP box does is drive the scanner and dump a few files on a server, you can mitigate the risk and avoid the excessive cost of replacement using Access Control Lists and simple port filtering rules on routers.
Chances are that a load of general-use machines could happily, and fairly cheaply, have been upgraded to something that was supported and patchable. Other public sector entities are moving or have moved (here and here) – albeit not necessarily bang on time.
If the NHS organisational risk registers didn’t already have any entries regarding security issues due to IT obsolescence then the trusts should have had a strong word with their risk manager. Or handed them a P45, whichever felt more appropriate.
Now it’s the post WannaCrypt era and people are scrambling and taking action. Three paths are open to people. One is do nothing, because there’s already a really good patch regime in place. The next is to acknowledge that patching has been neglected, to put a policy and process in place, and to get things back on the rails.
Those who have followed the third path will, by the end of the week, have a bunch of systems that are just as they were but with patch KB4012215 or KB4013389 installed. And there’s a word for that approach: dumb.
All these people will have done is fix the thing that everyone knows about, with not a thought for rest of the critical patches they’ve overlooked, the fact they are still running Windows XP, or the unknown unknowns out there yet to be discovered.
In other words, they haven’t changed the underlying root cause of why they were hit, just the manifestation.
Let’s be sensible about this, then
We’re going to be patching our systems and doing security assessments for a while now. But what we really need to do is to think properly about security, not just react to one ransomware attack because we will be attacked again. Leaving aside the WannaCrypt idiocy, ransomware has a habit of being a user-induced zero-day infiltrator – where the virus is so new that the AV vendors haven’t produced a signature file for it yet and the law of averages says someone will click on a malware link sooner or later.
Where will that next attack come from?
As least one of the paths is phishing because you just can’t protect yourself against your own users. This week at a data protection conference the speaker reckoned that even following effective training and awareness campaigns, there’s still a 5 per cent chance of someone clicking a dodgy link. My neighbour and I looked at each other, surprised, and said: “Nah, it’s way more than that.”
It won’t be leakware: attackers will save that until June 2018, just after General Data Protection Regulation comes into force and you can get fined – heavily – for losing Personally Identifiable Information (PII). And if you don’t believe me, believe the guy at the same presentation whom I said that to over half-time coffee and who then repeated it in the QA at the end.
No, it will exploit a known flaw just because there are simply so darn many. If you hadn’t noticed, the monthly security roll-up of which the MS017-10 patch is a part has 12 other security patches, for components including ADFS, IIS and Internet Explorer. And it may not be a Windows system either: to pick a couple of non-Windows packages at random we have the BIND DNS server, which had 11 vulnerabilities last year and has thrown up three this year so far, or the Apache HTTP server, which is pretty low on vulnerabilities but still lists four last year and four so far this year.
It’ll probably have been written on the premise that people have been patching their Windows systems thanks to the WannaCrypt but still have some recent updates to put on because of the time taken to test and approve patches. And I reckon it’ll be destructionware: they won’t bother with a ransom, they’ll just blow away files irretrievably for fun so that they’re unrecoverable unless you have a backup.
Oh, and the software it’ll compromise is your desktop and server backup agents so that even if you do have a backup it’ll be no use to you. Because, I suspect, the people who didn’t patch their Windows machines probably don’t test their backups either.
One more thing
I heard recently the average time to discover a security breach is now down to 99 days. So you’re probably infected already. ®