What lessons can organizations learn from the WannaCry ransomware cyberattack, which infected 300,000 PC’s across 150 countries?  WannaCry, also known as WannaCrypt, could have been easily avoided, it didn’t spread via email and the vulnerability it exploited had been fixed months before via a patch.  

An outbreak like this is indicative of failings or shortcomings in following basic security principles.  Using WannaCry as an example, we will cover how organizations can be better prepared using an assume breach stance and to be mindful of issues like technical debt. 

In the UK alone, WannaCrypt has caused havoc in hospitals, delaying appointments and vital operations putting patient care at risk. There are many other high profile examples of companies with WannaCry infections around the world.

This article isn’t specifically about how to remove WannaCry infections, it’s more aimed strategically at how organizations can reduce risk and better avoid similar cyber-attack outbreaks. Firstly, for reference, here are Microsoft's posts about WannaCrypt (WannaCry): 

• Customer Guidance for WannaCrypt attacks
• WannaCrypt ransomware worm targets out-of-date systems
• The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack
• WannaCrypt attacks: guidance for Azure customers

Microsoft provides comprehensive security products and services, much of which is integrated and enabled by default.   Taking a step back though, it’s easy to forget about the more mundane elements of protection that come from an organization culture and its preparedness for cyber-attacks.

Policy and Procedures

The author is a firm believer in that security isn't as simple as purchasing products or configuring features.  It comes from a solid foundation that is built on an organization’s culture including policies and procedures.

When looking at an organization’s competency with dealing with cyber-attacks like WannaCry, here are some questions to ask: 

• What is the cyber attack policy? How is patch management handled at a business policy level? Is there top-level management buy-in?
• Does the policy map out the cyber attack process from the infection entry point to clean-up with mitigation and other actions, in the case of an outbreak?
• Who is ultimately responsible for security in an organisation (where does the buck stop?) and do they have the resources needed to properly defend against cyber attack
• Are there contingencies in-place and are they in good shape? Are backups not only taken but regularly tested? 
• Are staff and end-users well versed in cyber-skills and being able to recognize phishing and other telltale signs of potential malicious intrusion

For example, if any end-user phones their IT Service Desk/helpdesk saying they can't access their files anymore and they are getting a message on their screen, what would happen next?  Is there a well prepared scripted response from IT staff that minimizes further infection? 

Assume Breach and Technical Debt

While the above questions are all very well, there are two areas specifically worth looking into at greater depth.

Organizations should adopt an assume breach stance.  This means expecting to be hacked and to be targeted for cyber-attack and building systems and processes around this.  This is a well-known and respected information security approach but it is not always heeded.  Without assume breach, the risk is an organization reacts to cyber attack and are not as well prepared.

With what is sometimes known as technical debt, it’s the work that tends to be put off indefinitely and poses an increased risk as a result.  This can often be the trickier pieces of work that could have blockers or dependencies that mean they often get delayed.  This could be work like upgrades, migrations, replacing legacy systems, that don’t get done as quickly as they should.  

More information:

• https://blogs.msdn.microsoft.com/azuresecurity/tag/assume-breach/

IT Systems

Now going into some more specifics, here are some additional points to consider:  

• Retire out-of-date kit, any system not supported by the vendor or where there is elevated risk e.g. Windows Server 2003 and Windows XP being obvious examples
• If legacy services can’t be replaced straight away, isolate them as much as is practical and add defence in depth measures to mitigate the increased risk
• Have firm upgrade plans in place for legacy systems and don't let vendors (ISV’s, IHV’s etc.) prevent vital upgrades
• Have robust patch management system, make it a core competency, well-versed and map out fringe cases, rogue laptops, mobile devices, kiosks, POS terminals, digital signage machines etc. that as long as they are on the network pose a potential risk
• Disable legacy protocols and adopt best practices throughout 

Summary

This reminder from Microsoft illustrates how we are all responsible for cybersecurity:

"This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support." (Microsoft's Brad Smith, President and Chief Legal Officer)

If all organizations take this on board, we can all be better prepared for the for the next WannaCrypt. Let’s not make it any easier for cybercriminals.  Even for organizations that haven’t been hit with WannaCry infections, now is a great time to shore up defences against cyber attack.