By this point, most technology practitioners — and nearly all security practitioners — know about WannaCry. In fact, you might be sick of people analyzing it, rehashing it, sharing “lessons learned” about it, and otherwise laying out suggestions — in some cases, contradictory — about what you might do differently in the future. To the security practitioner, the level of unsolicited advice (frankly) borders on the annoying.
That said, there is one avenue that seems to be underexplored: namely, the opportunity for frank and productive discussions with executives about security goals using WannaCry as an illustrative case study.
WannaCry was serious enough — and impactful enough — to create a lasting impression on many organizational senior leaders. To the astute technology or security practitioner, that represents an opportunity not available under normative circumstances: to forward critical items on the security agenda and potentially realize outcomes that are harder to sell without a concrete example to highlight.
With that in mind, below are a few “talking points” — conversations that can be initiated with senior management — along with the underlying issues and potential positive outcomes to address key problems that many organizations have. These are suggestions. Practitioners should adapt these talking points to their own environment, of course, or improvise based on their own particular needs.
Point 1: Threat Intelligence and Situational Awareness
One of the noteworthy things about WannaCry is that it didn’t come entirely out of the blue. The vulnerability that served as the exploitation vector for WannaCry (CVE-2017-0144) was addressed by a Microsoft Security Bulletin (MS17-010) on March 14, while the exploit code (EternalBlue) was released into the public by the Shadow Brokers hacking group on April 14.
There was plenty of time to act if one knew where to look. There’s no shame in not seeing this coming, though. Whether organizations have the bandwidth for threat intelligence or systematic situational awareness is a function of budget, staff, priorities and available time.
For organizations caught by surprise — which, according to data from ISACA’s State of Cyber Security 2017 survey was most organizations (53 percent) — now is a perfect time to address resource allocation around that situational awareness.
One approach is to frame it around remediation time and expense compared to the outcomes had these capabilities been resourced. There’s a dollars-and-cents argument, supported by the facts of WannaCry itself, that can lead to an outcome of investing in this capability.
The outcome here is additional resources or investment in commercial threat intelligence to tip off the security team to items of this type so they know when to take action and can separate the noise from the critical issues.
Point 2: Patching and Risk Management
Situational awareness is useful only to the extent that it informs our behavior. Given that a patch was available to address the underlying SMB issue for some time, those non-IT professionals might say, “Fixing is simple — just patch.” However, as IT pros know, it’s not simple at all.
Legacy or critical-but-rickety business applications, as well as other unique situations, sometimes require kid gloves where patching is concerned. These might include testing before applying patches, a shakeout period for patches (sometimes extensive), vendor involvement, or any number of other factors that could impede the application of patches.
A robust patch management process typically will factor in the risk associated with a given vulnerability (either that assigned by the vendor or a common standard such as CVSS) and make the decision about when and how to patch in light of the potential risks.
Of course, this is a task likewise predicated on resource availability, budget and available time. Just like the situational awareness issue, a well-timed discussion about when the right time might be to fast-track a patch — or to ramp up priority, even in cases where there is a risk of production downtime — is a useful conversation to have.
Discussions about changes to patching, potentially even discussions around tool investment, can be framed around seeking an outcome of increased investment in patching and risk management, or greater leverage with business teams that might push back on the potential for production downtime.
Point 3: Attack Surface Reduction
During the height of the WannaCry crisis, many users and IT staff — even technically astute ones — were under the impression that its propagation vector was email. Given the volume of phishing attempts and email-borne malware, coupled with the long duration since the last network-propagating worm attack, they assumed that suspicious attachment blocks, email filters, or user training would prevent WannaCry.
Now, it should be clear to most that the vector was SMB (TCP ports 445 and 139, UDP 137-138) and not email. In the heat of the moment, that misperception can lead to a false sense of safety; it also begs the question of why organizations are allowing inbound SMB in the first place.
It goes without saying that there can be a benefit to reducing the attack surface associated with nodes in our technology ecosystem (whether on premises or off). That said, it can be contentious in situations where a reduction in attack surface potentially would impact — or further complicate — legitimate business usage.
Now, saying “attack surface reduction” to an executive likely will result in a blank stare — but using the example of WannaCry, along with a discussion of the goal of minimizing the exposure window, won’t.
There are a few outcomes that can be achieved with this line of discussion. One is increased leverage and the ability to push back with business and other technology teams. Another is an increase in resources associated with analysis of attack surface, such as systematic application threat modeling. A third is an uptick in testing performed, such as vulnerability assessment tools or penetration testing.
These are, of course, only a few of myriad potential discussions that you might engage in with senior leadership. The goal: Leverage the real-world and impactful example of WannaCry to forward necessary and important goals that serve the betterment of the organization.
Of course, you’ll want to make sure to couch what you say in verbiage and language that will resonate with them. Have the facts at your fingertips — particularly in terms of organizational impact. Avoid jargon, stay focused on outcomes, and resist the urge to “show them the math.”