Building a strong cybersecurity program for the long haul
Patch Tuesday is approaching and there is a chance it might be a boring one. Hopefully, I didn’t jinx things by saying that, but I think most of what we’ll see is a bit of volume on the third-party side. Before we get into the forecast, though, let’s talk about the recent roller coaster we’ve all been on.
WannaCry
WannaCry is a name that will hold a place in our minds similar to Heartbleed, Conficker, and many other nasty cyber threats that made a significant impact on a global scale. For me it seems like it couldn’t possibly have been less than a month ago that the WannaCry attack first occurred. It’s been a bit of a whirlwind. On May 12 we formed a “Red Team” at Ivanti, and through that next full week we responded to inquiries for guidance, provided a full license of our patch management software to anyone in need, and worked with many companies to help them get our solutions up and running — so they could provide updates across their enterprise and clear evidence they had MS17-010 in place.
The second week out I left the U.S. for a three-week trip around the globe. I started in Australia on the Gold Coast at the AusCERT show, followed by a week of traveling down the coast to Sydney, Canberra, and Melbourne. Then I flew to London for Infosecurity Europe. It was interesting to see and hear from companies around the globe how WannaCry affected them.
Australia, for the most part, seemed less directly impacted by WannaCry, largely because their week had already ended and users had gone home for the weekend. A variety of phishing attempts were the method WannaCry used to gain its foothold in an environment, so IT teams Down Under had a little breathing room to ensure things were in order before it could affect them. Indirectly, though, the global event caused IT organizations across the country to go into response mode to ensure all systems were updated.
In the UK, the disruption of NHS (National Health Service) organizations throughout the country had a whole different level of impact. Yes, IT teams across Europe were responding to WannaCry infections, but many in the UK felt it at a much more personal level, as it affected more than just the workplace.
What are the lessons learned from WannaCry? They’re the same ones we should have learned from Heartbleed and the vulnerabilities in SSLv3. What made WannaCry so successful was the fact that it could exploit a vulnerability in an aging protocol that too many legacy systems relied on. This delayed and complicated rollout of the SMBv1 update across many organizations, not to mention the fact that XP and Server 2003 had no update to deploy at the time of the attack. It all created a perfect opportunity for WannaCry and several variants that occurred after.
Will we see another event like WannaCry? Unfortunately, the answer is yes. As common protocols like SSLv3 and SMBv1 age, vulnerabilities discovered in them will be used to rapidly spread malware or launch large-scale attacks. Software is like milk — it has a shelf life, so at some point it will expire, and when left too long will sour.
Is it possible to reduce the impact of an event like WannaCry? The good news is the answer to this question is also yes. With a good security program in place companies can weather an attack like WannaCry.
Building a strong cybersecurity program
1. Focus and prioritization are among the most important things to have in your cybersecurity strategy. For this we highly recommend turning to the Center for Internet Security’s Top 20 Critical Security Controls. PCI, HIPAA, ITIL, ISO, COBIT, GDPR, and many other frameworks are available, but the CSC Top 20 provide a level of focus that lets you maximize success with every step taken. Effectively executing on the Top 5 will eliminate the vast majority of vulnerabilities in your environment.
2. Education and awareness are also important. Security is everyone’s business. It’s easy for any of us to fall prey to phishing scams, and that’s the easiest way for an attacker to gain a foothold in your environment. The question isn’t if a phishing attempt will work on one of your users, but rather how many users it will take to find one who falls for it.
I’d like to share a very recent, personal example of how educating users about cyber threats does work. My wife of 13 years works in the school system. She deals with K-5 students every day, and cybersecurity is the last thing on her mind. Just a few weeks ago, though, it moved to front of mind when she received an email from eBay saying she’d won her auction for $1,800! Phishing commonly takes this form: attackers use a very common name or brand (eBay), make the bait plausible (you won your auction) and trigger a strong response ($1,800 on an auction you know you did not bid on). Most people would react without thinking and click to view the auction to see what’s going on. My wife, though, stopped and did a double take. She thought through the fact that she hadn’t logged into eBay for months, and then she showed me the email. She doesn’t listen to me often, but in this case she did and it paid off.
3. The final guideline I’ll offer is that you should have a layered approach to security for your environment. AV, while not unimportant, is not a catch-all security feature. In the case of WannaCry, it was reported that only 30 percent of the AV vendors could prevent the attack by the end of Day One. No one security control can defend against the threats out there today.
Let’s look at why that is, using WannaCry as an example. As I noted, this threat started with a variety of user-targeted attacks. One of those was a DocuSign phishing attempt that used a compromised DocuSign database of customer email addresses.
Targeted at executive-level customers, the email was designed to look like DocuSign sent it, and it claimed that attached documents were ready for signing. In other words, it presented a very plausible situation that the user would react to without thinking on it too long. In this case an email gateway, user education, and application control would have been effective methods to block initial entry into the environment. In fact, our email gateway at Ivanti thwarted several of this particular phishing attempt. Once on a system, though, WannaCry used the EternalBlue vulnerability in SMBv1 to spread rapidly to other systems. At that point, it’s patching that would have prevented the spread.
The CSC Top 5 focus on several security controls that provide an effective defense-in-depth strategy, starting with discovery of authorized and unauthorized hardware and software. In short, if you can’t see it, if you don’t know about it, you can’t secure it or protect against it. Next up are secure configuration, continuous vulnerability assessment and remediation, and managing user privileges.
In other words, patching the applications and operating system, privilege management, and application control. If done effectively, these measures could have significantly reduced the impact of WannaCry.
Patch Tuesday, June 2017
With all that said, I’ll circle back now to our forecast for Patch Tuesday, June 2017. Here’s what I’m predicting we’ll see:
- You can pretty much guarantee an update for Flash is coming next week.
- It’s also been a while since we saw updates for Adobe Acrobat and Reader, so there’s a strong possibility there.
- Firefox 54 will likely be coming next week, and there’s a pending update for Opera that likely will release before Patch Tuesday, but is on its way.
- And, finally, Google Chrome has just had a release, so I would say there is a maybe for Chrome next week, but likely only if it is needed to update Flash.