WannaCry Exposes Defense Supply Chain Vulnerabilities
The launch of WannaCry, a strain of leaked National Security Agency ransomware, affected more than 300,000 computer users in more than 150 countries in May.
The attack — which operated by encrypting a computer’s data, then demanding a payment of $300 in bitcoins under the threat of deleting all files — has since been labeled one of the largest operations of its kind in the internet’s history.
At particular risk were organizations that did not update their current operating systems and those running older versions of Microsoft Windows, primarily Windows XP and Windows Server 2003, whose systems had not been updated with security patches since 2014.
The ransomware utilized a backdoor implant tool known as DoublePulsar to exploit a weakness in Microsoft’s server message block to initiate the attack, and once active, spread itself across a vulnerable network. Its victims included FedEx, Deutsche Bahn and Britain’s National Health Service, among many others. The ransomware package is said to have originated from an NSA-utilized technology known as EternalBlue, which was leaked earlier this year.
As the global computer security community races to rectify the vulnerabilities exposed by WannaCry, experts fear the potential of a similar incident. While the attack itself was remediated through the discovery of a kill switch left in the ransomware’s code, its widespread effectiveness in shutting down entire networks provided an alarming example of the consequences of poor cyber posture.
The Defense Department supply chain — a critical segment of the nation’s infrastructure — is particularly vulnerable to high-profile targeting: with valuable assets and limited protection, it may present itself as a hacker’s paradise. As one of the largest and most operationally volatile supply chains in the world, an attack on this key resource could have potentially catastrophic effects. It may inhibit the military’s ability to respond to a contingency. Fortunately, there are several useful takeaways from the incident, including recommended best practices to ensure the global end-to-end security of the supply chain.
The worm took advantage of the well-known fact that many organizations do not patch and update their operating systems in a timely manner. While it is common practice for many larger enterprises to wait to adopt a new release, often due to internal policies, this processing period creates network vulnerabilities. Flaws in these systems are publicly released by ecosystem providers as release notes, or features denoted in the latest update. Their exposure is thus immediately recognized as a potential attack point, and left unprotected, offers opportunities for network infection.
In the case of small and medium-sized businesses, delays in deploying new software patches can often be linked to a lack of sufficient resources.
Often, a smaller or mid-sized business fears a loss of productivity due to taking the time needed for their systems to update. Some updates can be costly, or require out-of-house IT expertise. In other cases, a lack of knowledge can be at fault.
Whatever the case, small and medium-sized businesses are a prime victim for cyber attacks. While the profile of a large enterprise has marquis value, the sheer quantity of susceptible targets associated with the small business environment makes it tempting prey. Furthermore, the SANS Institute estimates that 80 percent of all cyber breaches began in the supply chain.
An entry point in one tier can have significant flow-down effects on the entire chain. In the case of WannaCry, the ransomware possessed the ability to infect entire connected networks from the entry point of a single vulnerable computer — meaning that one vulnerability was enough to paralyze the entire system.
It may appear counter-intuitive to alter a solution that works for business processes. Often, networking gear can disguise itself as functional — performing in accordance with its usual standards — long after its manufacturer labels it as at the end of its life. Just as software vulnerabilities are published alongside updates, network gear makers also publicize the flaws of their older products, and hackers are well aware of these potential entry points. Thus, it is important to note the viability of hardware, and plan for new solutions before their expiration date — no matter how functional they may appear to be.
Surveying the cyber posture of an entire network can be daunting, especially from the inside. With so many devices running critical operations across a complicated map of software, getting the big picture can seem impossible. How can a business secure its investments without an accurate understanding of the complete operational environment to be defended?
Fortunately, there is an industry-recognized process already in place, and it begins with a vulnerability assessment — the first step in securing a network. The assessment consists of listing the valuable assets within an organization.
Within a vulnerability assessment, outdated software systems and end-of-life devices, as well as all of their network connections, are identified. Basic controls for this include a complete inventory of devices for both public and private networks, with detailed information regarding the device’s location, function and department, as well as a complete inventory of software present on the network and its relevant information: its version, deployment, patch level and whether it is authorized or unauthorized.
It is also important to gain an overview of network ports, protocols and services — evaluating the necessity of these whether they are critical or unnecessary — checking that they are up-to-date and fully operational.
Vulnerabilities in network infrastructures are often the results of change.
This may be the work of the business, ecosystem provider, device manufacturer or industry. The pressures of business operations are often the focus of an enterprise’s technology efforts, and in most cases, businesses do not have the time to drill into minute network details, especially on an ongoing basis. And yet, continuous monitoring of the network is critical in identifying behavioral changes, which can lead to a hack. This level of monitoring allows for constant notifications of suspicious activity.
Continuous monitoring best practices include running vulnerability scans on at least a weekly basis. It is also useful to compare these weekly scans against one another on a regular basis to ensure legitimacy and get a full scope of when and where changes are likely to occur.
Being aware of vulnerabilities is not enough — a business must act quickly to remediate security flaws and implement long-term solutions. A survey conducted by the National Cyber Security Alliance revealed that approximately 59 percent of small and medium-sized businesses in the supply chain currently lack a contingency protocol in the case of a data breach — meaning that over half of the suppliers interviewed are not equipped to report or respond to a cyber attack.
Once an assessment has been completed, remediation on the critical items that are potentially damaging to an organization should be implemented. Some examples of these critical actions items may include, but are not limited to, moving business-critical devices to private networks, automating software patching, removing excessive ports and educating all system users on protecting their assets.
Proactive small and medium-sized businesses — keen on expert, outside assistance — will be able to effectively keep their company, employees, assets and customers secure.
Running a modern business requires much more consideration than ever before. With the constant threat of breach looming 24 hours a day, seven days a week, cybersecurity is an absolute must for a company to stay protected and fluid.
And while enhancing cyber posture is a significantly greater challenge for small and medium-sized companies — who face limited resources and act in a limited capacity — it is by no means impossible to achieve. The best practices, as outlined above, can be thought of as a guideline to avoiding attacks from ransomware such as WannaCry.
The incident has exemplified just how easily vulnerabilities are identified and taken advantage of, but it has also revealed how easily an attack like this one could have been avoided if a proactive, continuously vigilant approach to cybersecurity had been adopted by companies across the board.
While the balancing act of improving cybersecurity is not the defense supply chain’s only objective, businesses are always concerned with reducing costs and improving performance. The emergence of new federal compliance regulations, as published by the National Institute of Standards and Technology, enforce the importance of this goal. These regulations mandate compliance with cybersecurity standards by the strict deadline of Dec. 31, and a supplier’s failure to comply can result in both the loss of existing contracts and the inability to earn new ones.
With so much at stake in the networked world of enterprise, it is time that owners and CEOs, who have a fiduciary responsibility, take a stronger interest in looking to the cybersecurity experts serving the top echelons of enterprise.
After all, as the statistics show, it’s not a matter of if but a matter of when a breach of cybersecurity will hit close to home. For the Defense Department’s supply chain, the risks of losing intellectual property and precious data affects both the jobs of the suppliers and potentially the nation’s military posture, making its protection an absolute necessity.
Brian Berger is the executive vice president of commercial cybersecurity for Cytellix, the cybersecurity division of Information Management Resources Inc., a privately held cybersecurity managed service provider specializing in proactive situational awareness.