Late last week, a crypto-ransomware family called WannaCry hit people and organizations all over the globe. Many fell victim to the attack and saw their data encrypted, making it inaccessible unless organizations paid the ransom or began restoring their systems from backups. According to F-Secure Chief Research Officer Mikko Hypponen, about 196 victims have paid as of Monday afternoon.
— Kristie Lu Stout ✌? (@klustout) May 15, 2017
Some people and organizations can afford the downtime something like a ransomware attack can cause. But others, such as hospitals or other critical services, don’t have that luxury.
So how does something like this happen? And more importantly, how can it be prevented from happening again?
Most of the advice involves patching vulnerabilities and running endpoint protection. But F-Secure Principal Security Consultant Tom Van de Wiele says that this is only a band-aid solution, and won’t protect organizations with complex networks from similar attacks in the future.
“Basically, it’s a lack of hardening in IT departments that leads to these massive compromises,” says Van de Wiele. “For example, IT departments should be compartmentalizing their systems, so that people receiving emails or working with internet-facing systems aren’t fully integrated with more critical systems. In the case of hospitals, this could be medical systems like what’s controlling the MRI scanners, patient data, etc.”
“In these environments, security needs to include good network design, threat modeling, computer and device hardening and running simulations to see if drive-by attacks are possible, and tests that measure exposure to highly targeted attacks,” adds Van de Wiele. “It is only after testing the sum of all the parts that a company can determine their security maturity.”
But that’s all easier said than done for these organizations.
F-Secure Security Advisor Sean Sullivan points out that something like a hospital serves a large variety of needs with a complex IT environment, and resources tend to be limited.
“Cancer treatment centers, cardiology departments, and physiotherapy services will all have different IT needs. And those are just medical services – when you factor in research, services (both internal and external), finance, etc., you have an explosion of different requirements putting stress on IT departments. Having shared infrastructure seems like a cost-efficient way to service all those needs, but then you have the security problems that stuff like WannaCry can exploit,” says Sean.
And resource management isn’t the only hurdle. According to Van de Wiele, many specialized IT components, such as those used by hospitals, power plants, transportation systems, etc. are often impractical or impossible to patch, even after a vulnerability is discovered.
“A lot of these components are only guaranteed to work based on a specific configuration, so if doing something like applying a security update could interfere with the basic functionality, IT admins understandably avoid doing it. And that’s actually ok, because even small changes can cause potentially life threatening malfunctions if a system is important enough. But when you can’t secure the application layer, you need to make sure the network around it is prepared for the event that such components are compromised.”
Van de Wiele also says that the last 10 years have seen more attention being paid to application security, but this has come at the expense of network security.
“The last decade has been about application security, but application security needs to be balanced with secure networks. After all, the real target when you’re talking about organizations is not the individual devices, but what they can access on the network. Most major companies still run relatively flat networks due to legacy IT and other reasons, and that lets ransomware really hit companies where it’ll hurt them the most.”
There are no easy answers to this, unfortunately. But Van de Wiele does have some advice that he passes along to his clients when conducts Red Teaming tests.
“Organizations that provide critical services should treat their internet-facing systems like a kind of demilitarized zone and keep them compartmentalized with strict access controls that limits their access to critical parts of their IT environment,” says Van de Wiele. “People working on internet-facing systems are basically the first line of defense, and there’s no security product or training program on the market that can guarantee they won’t be compromised. Compartmentalizing them is an extra layer, but that extra layer is a relatively minor expense when weighed against the security benefits it provides.”