It was basically only a question of time. Sooner or later, it was clear that cyber-criminals would get their hands on a security flaw that would help them start the scale of attack we saw recently. Nevertheless, its effects still surprised everyone – there were reports practically every minute about newly-infected hospitals, carmakers and transport companies.
It made us see how weak our entire digital infrastructure really is. Despite quick-fix security measures, including a patch for obsolete operating systems, companies are not all protected against infection – far from it. That’s because updates and patches are not even an option for many of them. Effective protection needs to start at a completely different level.
Encryption Trojans themselves are certainly nothing new. The unusual factor in this case was the way it spread – a combination of various tactics that made it extremely effective. Once the WannaCry malware has infected a system via a malicious link in a spam mail, it is able to reproduce itself like a worm by exploiting a security flaw. The result: a snowball effect that has apparently infected over 200,000 systems in 150 countries.
The road to hell is paved with good intentions and many companies affected by WannaCry will think that when they hear people say: “If only you’d upgraded to a current operating system. Windows 10 has been protected by a patch since March.” That’s certainly a valid argument at first glance. But unlike most home users, companies are not always in a position to just update their IT infrastructure whenever they feel like it – or even when necessary.
“Never change a running system” and other obstacles
We only need to look at business-critical infrastructures like production machines in manufacturing companies. For security reasons, their control systems may not allow any modifications – and that’s why many production systems are still running on old software like Windows XP. That won’t change anytime soon because traditional machines are designed to run for decades. As a result, replacing a company’s entire fleet of machines with new ones is clearly not an option. There’s a similar situation in highly-regulated industries like automotive and healthcare – they are often subject to stringent compliance requirements that forbid any system modifications.
Even if there are no objective obstacles to applying patches or updates, other factors – such as a lack of time or money – ensure that even critical security updates are only installed after a long delay, if at all. We can still remember the SSL security flaw Heartbleed in 2014: three years after the flaw was made public, hundreds of thousands of systems connected to the internet were still unpatched. The reason is obvious: in large IT installations with several thousand or tens of thousands of systems, applying patches requires a huge amount of time and money. Companies also subscribe to the adage “never change a running system” and are unwilling to take the risk of applying updates with errors and – in the worst case – paralyse their entire production.
Microsoft again reacted extremely fast in this case. Faced with the huge scale of the attack, it even provided a patch against the security flaw for older Windows versions that are no longer supported, such as XP and Server 2003. Nevertheless, there are multiple reasons why even that is not a practical way for many companies to protect their internal systems against infection with WannaCry malware.
This cyber-attack should serve as an eye-opener for us all. Not only as an indicator of the importance we should place on IT security in this era of all-encompassing digitalisation, but also to illustrate the fact that this new reality requires a completely new approach to security. Instead of protecting each PC, machine and other internet-enabled device individually, security should be provided on an overarching level: centrally and universally across the entire enterprise.
Cloud-based security solutions anchor their protection mechanisms directly in the cloud – for example, installed within the internet provider’s infrastructure. All of the customers’ internet traffic is routed via this discrete security system, regardless of the customer’s devices, their operating systems or even their local protection solution. The traffic is searched for threats before the malicious files can get anywhere near the company. That effectively forestalls the initial infection with no need for any system modifications.
by Dennis Monner, CEO of German-based IT security firm Secucloud.