On Friday 12th May, malware called WannaCrypt (WannaCry/WCry) infected 75,000 machines in 150 countries and impacted 200,000 worldwide, notably Russia, Ukraine, Taiwan and India. It affected 48 NHS organisations and impacted the likes of FedEx, Nissan, Telefónica and Renault.
Over the weekend, it was warned that WCry2 would be released which removed the original coding flaw and threatened a whole new spate of attacks this week.
The WannaCrypt ransomware utilises a US National Security Agency exploit that was publicly released in April 2017 by the Hacking group identifying itself as ‘Shadow Brokers’. It copies a weapons-grade exploit codenamed EternalBlue that the NSA used for years to remotely commandeer computers running Microsoft Windows XP through Windows Server 2012: WCry developers have combined EternalBlue with a self-replicating payload, which means WannaCrypt can spread virally across any vulnerable machines globally, in any organisation, without requiring operators to open e-mails, click on links or take any other sort of action.
The worm spreads across networks using a vulnerability in Microsoft's SMB file-sharing services, exploiting a bug (MS17-010) that was patched in March for modern versions of Windows.
Unusually, Microsoft has been so concerned about the WCry threat that it has released fixes to immunise legacy versions of Windows XP, 8, and Server 2003, which the company stopped supporting over three years ago. All remaining unpatched systems are still vulnerable and can be attacked.
The problem with legacy systems: technology debt
An important concept in IT that has been gaining popularity in recent years is that of ‘Technology debt’: large complex organisations, particularly those where IT services are federated or companies have merged are likely to have an expanding mountain of legacy systems, some of which may support critical applications or infrastructure and run Out Of Support Software (OOSS) like the legacy versions of windows mentioned above.
Although it seems like the most obvious thing is to simply upgrade and patch systems, the problem with legacy software is more insidious, and the underlying remediation costs can be huge.
It can be difficult to obtain a clear picture of the remediation effort required as upgrades must follow a clear transition of versions to move to the latest version of an operating system and applications reliant on certain platforms need to be carefully tested to ensure they will still work following patching or planned migration.
It is often non-trivial to achieve this in IT environments with tightly constrained resources, so many institutions prioritise remediation programmes in line with other demanding pressures from business or regulation.
OOSS means just that: it is not formally supported by the manufacturer, so expensive custom maintenance agreements must be arranged. It also means that vital security patches or fixes are on a best effort basis and, the older the technology, the greater the number of known common vulnerabilities and exposures (CVEs) which are identified.
Put simply, your estate will be full of security vulnerabilities and you are more at risk from attack.
A popular term used to describe the cost of remediating IT environments in this position is Technology Debt, which can be expressed as a simple formula:
Technology Debt = Capital + Liability + Opportunity cost
Capital refers to the legacy estate that must be remediated.
Liability is the additional reputational damage and availability costs from outages, breaches or corrupt data that could offer through security vulnerability.
Opportunity Cost is the enhancement/benefits that could have been achieved by moving to new technological paradigms and resulting losses hindered by system inflexibilities or inefficiencies.
The higher the level of technology debt in an organisation, the greater the risk that IT systems and services could be compromised, clearly evidenced through the global impact of the recent Wcry attack.
In the case of the NHS, a large proportion of the organisation is still using Windows XP and with 16 trusts being taken out by malware and critical services crippled across the United Kingdom, there can be no surer justification of the importance of managing down levels of technology debt and reducing operational risk.
Protecting your systems and data
A good cybersecurity programme must be able to identify all IT assets, understand their real risk exposure and protect them appropriately. This is just as essential as being able to detect, respond and recover from Advanced Persistent Threats.
NIST and SANS CSC20 cybersecurity frameworks place great importance on the need for patching vulnerabilities and using the latest software/firmware versions. In many companies, cyber resilience work-streams focus on optimising these activities to reduce risk of compromise and if the latest WannaCrypt event has anything to teach us, it is to understand how effective a company’s cybersecurity profile is and to realise the full extent of its technology debt.
If you are worried about how vulnerable your organisation is to the impacts of malware and want some advice on dealing with technology debt, please contact us.
Head - Cyber and Information Security & Privacy Compliance
T: +44 (0) 207 870 4031
M: +44 (0) 7411 753 359
Associate Director - Cyber and Information Security
T: +44 (0) 2017 870 4034
M: +44 (0) 7500 783 945