The general media, the Web, the Twitterverse, and my email has been alight over the past few days regarding the WannaCry ransomware outbreak. And to answer the question in the name, yes I do wannacry! Little did I know I would need an almost immediate follow-up blog from my recently published one that was subtitled - If You Don’t Like This Minutes’ Newsworthy Cyberattack, Wait a Few There Will be Another One. My tongue-in-cheek subtitle was almost literally correct. But then again, in the world of IT security, predicting another major outbreak is as sure a thing as betting on a horse race that finished hours earlier.
I am certainly somewhat annoyed with the NSA for creating the EternalBlue exploit and apparently getting pwned by the ShadowBrokers and having their hacking tools fall into the wild. I am also annoyed with Microsoft for creating a critical “worm-able” Windows vulnerability in the first place. And I am also more than a little angry at the cybercriminals for putting all of this together into a full-fledged, global ransomware attack. However, I don’t “wannacry” because of them. They are doing exactly what they were formed to do, that is – spy – build and maintain complex software – steal money. What I really wannacry over is the incredibly weak security practices that still exist in so many organizations.
It’s really true that ransomware is a tax on poor security practices. Do you think you were saving money by not upgrading from Windows XP when it went EOL or by slow rolling your vulnerability patching program? What about your use of a basic anti-spam solution when you should have been using a modern secure email gateway? And what about shortchanging your network security investments, security-team staffing, backup-and-recovery and user awareness programs? These types of well-publicized attacks serve to shine an unflattering light on these areas of endemic security underinvestment. And the cybercriminals’ role is to extract his tax on this underinvestment.
If you're looking for some tactical advice on how to be better prepared for WannaCry and its likely variants, check out this blog from my Mimecast colleague. When you are out of firefighting mode and want to reassess the defenses currently provided by your incumbent email security system, contact Mimecast to discuss our Email Security Risk Assessment program and your particular security priorities.