The Biggest Takeaway from the ‘WannaCry’ Ransomware Attack

You’ve reached an archived Flexera blog post that may be out of date. Please visit the blog homepage for the most current posts.

This month’s ferocious ransomware attack, known as “WannaCry,” spread across the globe with astonishing speed and breadth, freezing more than 300,000 computers in an estimated 150 countries. Management teams at every corporate, government and non-profit organization should now be reviewing lessons learned from that experience.

My biggest takeaway from the WannaCry experience is this: Effective cybersecurity is mostly about having good actionable data to tell you where your highest priority vulnerabilities are.

Here’s why. As with most large-scale cyberattacks, the WannaCry ransomware exploits vulnerabilities that are already known and understood. In this case, the vulnerability is called “EternalBlue,” which was released online in April by a hacker group called the Shadow Brokers.

The EternalBlue vulnerability, reportedly developed by the National Security Agency, exploits weaknesses that affect older versions of the Microsoft Windows operating system. (Roughly 98 percent of computers affected by WannaCry run Windows 7, according to Kaspersky Labs. Most of the remaining computers affected were running Windows XP or were clients of Microsoft’s Windows Server 2008 R2 operating system, which is built on the same kernel used in Windows 7.)

But even though the EternalBlue vulnerability was known, it was nevertheless successfully exploited with devastating results. In fact, the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back many years. (WannaCry is entry CVE-2017-0144 in the national CVE registry, which is maintained by The MITRE Corp.)

These vulnerabilities continue to be successfully exploited by hackers and malware because end-of-life (EOL) and end-of-support (EOS) software and hardware continue to live on many organization’s networks without the knowledge of IT staff.

In many cases, organizations knowingly keep outdated software and hardware running because of fears that replacing them will disrupt legacy applications and systems. But in those cases, organizations often do not fully understand the larger cyber risks they open themselves up to.

This is where good actionable cyber risk intelligence is so critical.

Many organizations do not manage their EOL software. In fact, a recent BDNA survey found that 52 percent of responding organizations do not have a process for handling EOL software.

As we have seen with many recent cyberattacks, including the WannaCry ransomware attack, the consequences of this are too great to ignore. Software vulnerabilities in commercial products are the biggest source of data breaches in the enterprise. Not managing end-of-life of enterprise applications has major implications on enterprise security, compliance, and the ability to enforce critical processes.

The challenge in doing this is that technology vendors don’t always diligently publish the EOL dates for their software, leaving IT teams to their own devices.

The results are troubling: In one organization with more than 550,000 software installations, 56 percent of its software was found to be EOL, posing a very high security risk. More than 6,350 instances of the software installed had come to EOL more than 14 years before and included applications from Microsoft, SAP, IBM, Symantec and more.

This is where asset management tools that automatically provide visibility into the entire asset lifecycle, including EOL dates for application software, become extremely useful. Such tools go beyond providing visibility into IT networks because they are able to analyze the database and alert IT managers about what assets are EOL, nearing EOL, approved and unapproved and/or out of configuration. This increased awareness allows organizations to not only be proactive about their security needs, but also enables them to leverage their data more effectively.

To make smart decisions about cyber risk, an organization’s management team must know exactly what assets are present on its networks, what vulnerabilities those assets present, and what the severity of the risk is that is associated with those vulnerabilities.

A myriad of scanning tools exist, but they are incapable of providing organizations with a single, aggregated, actionable view of cybersecurity vulnerabilities. They are incapable of providing detailed information on what assets exist on the network, which are EOL today and which will be EOL in a month or a year, which are approved or unapproved under the organization’s security guidelines, and how severe those risks are. The result is a cybersecurity posture that is reactive and always playing catch-up — in other words, at high risk.

Companies need comprehensive, actionable data to transition their cybersecurity postures from reactive to proactive.

BDNA offers a unique capability that dramatically transforms and enhances an enterprise’s existing IT data into actionable intelligence that enables smart, proactive approaches to a more enhanced cybersecurity posture.

Specifically, BDNA:

  • Extracts and aggregates data from multiple infrastructure security, configuration, and patch-management tools, to present a comprehensive view of an enterprise’s IT asset inventory.
  • Filters, de-duplicates, normalizes and categorizes that data to create a single source of truth.
  • Enriches that data with the most trusted and comprehensive technology asset information source in the world, providing EOL information, CVE/CVSS values, Windows compatibility, current manufacturer, version information, and much more.
  • Feeds that data to downstream applications that help prioritize where the most critical vulnerabilities exist so mitigation efforts are directed smartly and proactively.

BDNA’s Critical Cybersecurity Benefits

BDNA delivers a proactive cybersecurity posture through comprehensive risk visibility and actionable data. Specifically, BDNA provides these six critical benefits to enterprises of all sizes:

  • EOL Visibility. Knowing End-of-Support/End-of-Life (EOS/EOL) data for all an enterprise’s network-connected hardware and software provides more comprehensive cybersecurity risk awareness — something no other tool does. And knowing what IT assets are EOL today, and which will be EOL in the future, empowers security teams to get ahead of their risk so they can proactively mitigate them.
  • Approved/Unapproved IT Asset Visibility. It is one thing to have an approved/unapproved list of IT assets — it’s another thing to enforce it. BDNA enables security teams to know all hardware and software on their networks — including rogue assets that are unmanaged — and then break out which assets are approved and unapproved. Just as important, it tells them which IT assets on their networks are neither approved nor unapproved and need to be categorized. Actively managing hardware and software so that only approved assets are connected to or installed on the network are the first two controls of the SANS Center for Internet Security Top 20 Critical Security Controls.
  • Common Vulnerability Scoring System (CVSS) Values. Knowing the risk severity scores of vulnerabilities, as defined by the National Institute of Standards and Technology (NIST), contributes to better and more proactive decisions for how to direct limited risk-mitigation resources. (The vulnerabilities that the WannaCry attack exploit in Microsoft Server Message Block 1.0 (SMBv1) has a CVSS score of 8.5.)
  • The Marriage of EOL and CVSS Data. Plotting the enterprise’s most severely at-risk assets (as measured by CVSS values) with those at or near EOL offers a quick way to prioritize mitigation efforts and proactively neutralize ticking time bombs on your network.
  • A Single Source of Truth. BDNA aggregates data from all available discovery tools and data sources, then filters, dedupes and normalizes it. That cleansed data set is then enriched and aligned to the most trusted and comprehensive hardware and software asset information source, BDNA Technopedia®. This means that all corners of the enterprise can work from a single, manageable, and authoritative source of knowledge. That’s critical when developing and executing a cybersecurity strategy across the enterprise.
  • Greater Value for Existing Security Tools. Companies have invested heavily in numerous tools to manage IT assets, configurations, and security on their networks. Those tools deliver value, but they also have limitations in their reach and visibility. BDNA’s value is to aggregate the data from those tools and make it actionable by deduping, normalizing, and enriching it with unrivaled Technopedia market intelligence to provide a clear, comprehensive, single picture of the most critical vulnerabilities needing attention.

In the wake of the WannaCry attack, corporate management teams across the globe should be reviewing their cyber risk-management postures to determine whether they are proactive and built upon actionable data.

If not, there is no time to lose.