Think back for a second to the late 1990s (if you were alive and in the workplace), when every so often the nightly news included some vaguely apocalyptic sounding reference to a computer virus sweeping the globe. It was inevitably some flaw within the Windows Operating System and once addressed, we’d breathe a sigh of relief and move on until the next wave of malware crashed on the shore.
Over time, anti-malware software became more effective while Windows and other OS beefed up their protection. Built-in defenses like Address Space Layout Randomization (ASLR) made it more difficult to exploit OS flaws, so hackers began to target the next big thing – web applications – that lend themselves to targeted attacks instead of serving as a cyberweapon of mass destruction.
Now, in the aftermath of one stunning attack, we’ve been transported back to the 1990s and the specter of mass cyber assault. The ransomware attack known as WannaCry impacted 10,000 organizations and 200,000 individuals in at least 150 countries in one 24-hour period. In fact, many in the security industry are still feeling shockwaves from the initial attack that exploited known flaws in Microsoft XP, an OS that went end-of-life OS 2014 but is still a mainstay of many business and personal computers. Just recently Honda was forced to shut down a plant’s operations after finding infected computers.
In a recent blog post, Adrienne Hall, General Manager of Microsoft’s Cyber Defense Operations Center, said, “In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations.”
There are almost too many takeaways from this attack, but one of the primary learnings has to be that our current system of patching known flaws and protecting against zero day attacks simply does not work. And the shadowy hackers currently engineering the next WannaCry-style mass attack know that.
Every security professional knows—but perhaps has bosses who does not fully appreciate—that modern software is riddled with flaws that offer hackers myriad options of entry. Each time a patch is released it’s a sprint to see who reaches the finish line first: the security teams applying an update or the hackers who immediately add the new exploit to their automated scanners seeking vulnerable systems to attack.
Whether end-point or server side, the problem is the same. No human can keep pace with the number of vulnerabilities discovered and patches required to keep systems secure in a reasonable timeframe, at a reasonable cost. The process to fully implement a patch can take weeks, months or years depending on the amount of custom code and the complexity of the software (and organization).
Then there is the related issue of unsupported software that is at the core of mission critical processes and applications, especially in large enterprises. The exception to the rule is the organization that has all current version software and is fully up-to-date with security patches. There is no readily available quantitative data that defines the scope of this issue, but anecdotal evidence abounds.
In the WannaCry attack, the nexus of the attack was a known flaw in Microsoft Windows XP. Wildly popular and widely used, Windows XP sunset in 2014 after twelve years, but it remains in use and the recent attack prompted Microsoft to re-open the long dead software to issue a patch along with Windows Server 2003.
You can find the same issues with Java- and .NET-based web applications. Large enterprises especially get locked into a loop where they can’t update the underlying platform – say, Java 6 to Java 7 (or 8) – without breaking the application. They can’t upgrade the application without upgrading the platform. They can’t rewrite the application without spending months (or years) and millions of dollars. And so the applications continue to run on out-of-public support platforms with vulnerable code that can be exploited.
I routinely tell people that, as a community, we don’t have a problem identifying vulnerabilities. We have great tools to do that. What we have is a problem securing new and older vulnerable software.
We need to dramatically accelerate the transition to the next set of solutions that can address these issues through automation, virtualization, microservices and other proven and emerging technologies. The burden of patching can be dramatically reduced and the useful life of software can be extended – all without the time-consuming action of updating code.
It’s these newer technologies that will send mass attacks back to the 1990s where they belong.