If you didn’t know about malware, you certainly do now. Ransomware, a form of malware – or malicious software – is a trojan virus designed to block access to a computer system and theoretically hold it hostage until a sum of money is paid. This past week, the WannaCry ransomware attack gained rapid attention by wreaking havoc across the globe effecting over 200,000 computers thus far. It’s effected hospitals, companies, public services and more. While it may have slowed, this ongoing ransomware attack had me thinking about a few things:
- Consumers must assume some accountability – individuals and organization that don’t patch (update their software) in a timely manner should hold themselves somewhat responsible for being compromised.
- The NSA has to treat software secrets the same way as nuclear weapons secrets. Just because software is not tangible, doesn’t mean the threats of software weapons aren’t dire.
- Software remains the most vulnerable component in cybersecurity. Not only is WannaCry software-based malware, it exploits a vulnerability in Microsoft Windows; WannaCry itself had a coding error that essentially functions as a kill switch.
- Microsoft deserves much credit for their rapid response and for taking unprecedented steps of releasing patches for older and no longer supported versions of Windows.
The WannaCry ransomware attack was notable because it took advantage of a security flaw in Windows (SMB protocol implementation) found via a National Security Agency surveillance tool kit. Files detailing the capability were leaked online in March, though after Microsoft, alerted by the NSA to the vulnerability, had sent updates to computers to patch the hole. Ironically (or not so much), Microsoft has wanted to disable this SMB protocol for years now, but product managers were concerned about alienating the users of millions of printers (an original IoT device) that use it and can't be upgraded.
While Microsoft has taken a PR hit, Brad Smith, President and Chief Legal Officer at Microsoft, was rightfully critical in his blog of both the NSA and Microsoft consumers for their respective role in the WannaCry cyberattack. In his blog, Mr. Smith writes:
"They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
In addition to the recent exposure of CIA stored vulnerabilities showing up on WikiLeaks, this is another example of why the stockpiling of vulnerabilities by governments is such a problem. Like all other industries that have had to make the mentality shift of going from an offline physical, brick-and-mortar world to an online world, strategies and skills with respect to weaponry need to change too. Agencies like the FTC, FDA, FAA and others regulate, audit and create standards for public safety. Software-run systems should be no exception. All of these industries have independent auditors, compliance mandates, and recall processes. The same should apply to software.
Microsoft’s Smith also said “This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect.”
I feel Microsoft’s pain. Unpatched software remains one of the major root causes of attacks. Consumers should meet software vendors halfway and ensure their systems are up-to-date and that data gets backed up. If you back up your data, it’s a lot harder to be held hostage.
If you want to learn 3 quick steps to protect yourself from future ransomware attacks, check out my interview from earlier this week with Sue O’Connell’s The Talk on NECN.