This month’s ferocious ransomware attack, known as “WannaCry,” spread across the globe with astonishing speed and breadth, freezing more than 300,000 computers in an estimated 150 countries. Management teams at every corporate, government and not-for-profit organization should now be reviewing lessons learned from that experience.
The biggest takeaway from the WannaCry experience is this: effective cybersecurity is mostly about having good actionable data to tell you where your highest priority vulnerabilities are.
Here’s why: as with most large-scale cyberattacks, the WannaCry ransomware exploits vulnerabilities that are already known and understood. In this case, the vulnerability is called “EternalBlue,” which was released online in April by a hacker group called the Shadow Brokers.
The EternalBlue vulnerability, reportedly developed by the National Security Agency, exploits weaknesses that affect older versions of the Microsoft (News - Alert) Windows operating system. Roughly 98 percent of computers affected by WannaCry run Windows 7, according to Kaspersky Labs. Most of the remaining computers affected were running Windows XP or were clients of Microsoft’s Windows Server 2008 R2 operating system, which is built on the same kernel used in Windows 7.
But even though the EternalBlue vulnerability was known, it was nevertheless successfully exploited with devastating results. In fact, the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back many years. (WannaCry is entry CVE-2017-0144 in the national CVE registry, which is maintained by The MITRE Corp).
These vulnerabilities continue to be successfully exploited by hackers and malware because end-of-life (EOL) and end-of-support (EOS) software and hardware continue to live on many organization’s networks without the knowledge of IT staff.
In many cases, organizations knowingly keep outdated software and hardware running because of fears that replacing them will disrupt legacy applications and systems. But in those cases, organizations often do not fully understand the larger cyber risks they open themselves up to.
This is where good actionable cyber risk intelligence is so critical.
Many organizations do not manage their EOL software. In fact, a recent BDNA survey found that 52 percent of responding organizations do not have a process for handling EOL software.
As we have seen with many recent cyberattacks, including the WannaCry ransomware attack, the consequences of this are too great to ignore. Software vulnerabilities in commercial products are the biggest source of data breaches in the enterprise. Not managing end-of-life of enterprise applications has major implications on enterprise security, compliance, and the ability to enforce critical processes.
The challenge in doing this is that technology vendors don’t always diligently publish the EOL dates for their software, leaving IT teams to their own devices.
The results are troubling. In one organization with more than 550,000 software installations, 56 percent of its software was found to be EOL, posing a very high security risk. More than 6,350 instances of the software installed had come to EOL more than 14 years before and included applications from Microsoft, SAP (News - Alert), IBM, Symantec and more.
This is where asset management tools that automatically provide visibility into the entire asset lifecycle, including EOL dates for application software, become extremely useful. Such tools go beyond providing visibility into IT networks because they are able to analyze the database and alert IT managers about what assets are EOL, nearing EOL, approved and unapproved and/or out of configuration. This increased awareness allows organizations to not only be proactive about their security needs, but also enables them to leverage their data more effectively.
To make smart decisions about cyber risk, an organization’s management team must know exactly what assets are present on its networks, what vulnerabilities those assets present, and what the severity of the risk is that is associated with those vulnerabilities.
A myriad of scanning tools exist, but they are incapable of providing organizations with a single, aggregated, actionable view of cybersecurity vulnerabilities. They are incapable of providing detailed information on what assets exist on the network, which are EOL today and which will be EOL in a month or a year, which are approved or unapproved under the organization’s security guidelines, and how severe those risks are. The result is a cybersecurity posture that is reactive and always playing catch-up — in other words, at high risk.
Companies need comprehensive, actionable data to transition their cybersecurity postures from reactive to proactive.
In the wake of the WannaCry attack, corporate management teams across the globe should be reviewing their cyber risk-management postures to determine whether they are proactive and built upon actionable data.
If not, there is no time to lose.
About the Author
Walker White is president of BDNA. Joining the company in 2002, he originally served as Chief Technology Officer before becoming president in 2014. Prior to BDNA, Walker had a 13-year career at Oracle (News - Alert), working as chief technologist in Oracle Service Industries. He holds a B.S. in computer engineering from the University of California, San Diego.