When WannaCry dominated the headlines, manufacturers fell over one another to make a statement. On the whole, the comments can be divided into two groups. Some reminded customers that not patching software is negligent and others claimed that it simply would not have happened with their software/hardware/service. How true is this? One can hardly imagine that organizations such as hospitals or Deutsche Bahn would not have any protection software, employ incompetent administrators, or have not heavily invested in security technology.
Security products and services were almost certainly available to the affected organizations; however, they were unable to neutralize this threat. This does not mean that such products are functionally ineffective. Whether or not an anti-virus scanner failed to block a malicious e-mail attachment this time is irrelevant, it may still have easily blocked 5000 similar mails in the last month. It can’t be said often enough, so we’ll say it again once more here: Security is a process. It must be understood and applied at all levels, from employee awareness (be careful what you click) through the configuration of the firewall (only open ports that you really need) to the hardening end devices that have special tasks (why does a railway schedule display need CIFS/SMB?).
This is not new and WannaCry should not have had a chance, at least not in Germany and other highly developed countries, where there are enough expertise and financial resources to maintain high levels of IT security. However, IT security is still seen as an unnecessary limitation on personal and organizational freedom. Many believe that IT security is paralyzing and slowing down and Germany should be driving digitalization and not blocking progress with too many reservations. But now there are threats such as WannaCry, Carbanak, and Dridex and even intelligence services who have not been able to protect their own exploit libraries. Even if it slows things down and costs money: More security is needed than ever before. The only alternative is for companies to pay ransoms which is also a form of risk acceptance.
In response to the second claim from manufacturers suggesting that IT administrators must be more diligent in applying patches many in the IT industry will be left shaking their heads. Every administrator knows that they need to apply security fixes. Unfortunately, these fixes do not always work. Windows 7 which has the most WannaCry infections is notoriously unreliable in this regard. The Windows Update Service often fails and some updates are not installed at all, after other updates the system no longer works or settings are lost. All of this can be fixed but it delays the update process. Other Windows computers may not be patched for specific reasons. Some production systems cannot be restarted or the manufacturers of control software prohibit changes to the operating system to prevent voiding certification. Other applications, such as Adobe Acrobat or the Flash Player are another matter entirely. And Linux distributions are not completely safe, although issues on this platform are less common.
So what is the best advice for CISOs whether their organization was affected or not this time round? The threat potential is real and every day organizations are exposed to new attacks. Even if it leads to conflicts: CISOs must ensure an appropriate level of security and defend measures which may inconvenience employees and management for the greater good. The next round of ransomware is surely on its way.