WCry highlights concerns with existing cyber-security approach
By now, the damage from the Wcry ransomware that blitzed computer systems over the world on Friday appears to be slowing down, with the discovery of a “kill-switch” for the worm. With the outbreak hitting multiple high profile systems around the globe, it did nevertheless highlight critical flaws in IT security practices and infrastructure in a large number of companies and government agencies around the world, perhaps most notably the NHS.
The WCry ransomware was built from a trove of cyberwarfare tools that was stolen from the NSA’s Equation Group last year, and subsequently sold online by the so-called “Shadow Brokers” group. Among the information in this leak was a flaw in Microsoft’s file sharing system, codenamed ETERNALBLUE by the NSA.
However, this vulnerability only existed in older versions of Windows, and was patched by Microsoft in a critical security update on March 14th. It could also be counteracted by turning off that file sharing functionality. Given that Microsoft had already delivered a technical solution two months previous, there is another reason for the widespread failure that led to last week’s crisis.
Human Error and Cost-cutting
IT departments can be notoriously lax in applying security updates for Windows, despite it being best practice to apply critical security updates as soon as they are available. Many companies delay in actually doing so because they fear that patches may break Windows or other program functionality, which is not an entirely unfounded fear. Companies also tend to rely on additional security software in lieu of prompt updates, which is frequently substandard and of little help in actually securing computer systems.
The second issue, which is harder to resolve, is that of budget cuts within departments and agencies. Security is always a tempting target for any kind of cost-saving measure, as it is often seen as a form of insurance or hedging against an unlikely event. This appears to be the main reason why the NHS was so severely affected, as the government dropped its contract with Microsoft to provide security updates in 2016 and instead put the cost on local NHS providers who were themselves suffering under budget cuts and so unable to afford to provide. In addition to this, it appears the government ignored warnings about critical flaws and a lack of secure computers in the NHS last November.
The bigger picture
A larger issue, beyond that of what individual companies or departments can do, is that of government focus with regards to the cybersecurity domain. The focus has been on using NSA and GCHQ for offensive cyber-operations against overseas targets, rather than on improving cyber-security in the UK and USA.
Consequently, flaws and exploits like ETERNALBLUE are kept secret for perceived advantage, rather than being used to plug gaps in domestic networks and provide a more stable internet. Until that perception changes, along with a more pro-active approach from security consumers, future attacks with a similar scope to WCry are almost guaranteed.
Marc Simms is an occasional blogger for Proelium Law LLP. Marc holds a MLitt in Terrorism Studies and a Masters in International Relations, both from St Andrews. His particular interests are in emerging international security issues, unconventional warfare, and terrorism.
Need advice?
If you’d like further information, or to discuss working with us, please get in touch
