As cybercrime continues to circle and stalk organizations, a more devastating new form of cyberattack has hit -- and it’s called WannaCry ransomware.
WannaCry uses a ransomware cryptoworm, specifically designed to target computers running Microsoft Windows operating systems. The payload is similar to most modern ransomware, as data on the device is encrypted and a ransomware payment is demanded in the form of Bitcoin. This specific type of ransomware is called a network worm, since it also includes a transport code to automatically spread on its own. Once inside, the transport mechanism uses EternalBlue to gain access and a Double Pulsar tool in order to install a copy of itself.
The major attack started in May of 2017, and within one day it was reported to have affected more than 230,000 devices in over 150 different countries. It hit major hospitals, car manufacturers, and even large telecommunications companies, yet one industry seemed to escape largely unscathed -- banking.
While banks have been among the most popular targets for cyberattacks in the past, it seems this is at least one clear instance where the banks have benefited from adopting and evolving better cybersecurity practices and controls. Let’s take a closer look at what types of practices enabled banks to avoid the WannaCry ransomware epidemic.
One of the main reasons the WannaCry ransomware epidemic was so costly and problematic was many victims had known vulnerabilities, they just hadn’t implemented the patches to fix them yet. Patching could have stopped the entire WannaCry attack before it even began. But how?
Patching involves pieces of software that are designed to update a computer program and its supporting data. All software eventually needs updating, and these patches fix security vulnerabilities and other bugs, which is essential considering today’s cybercriminals are constantly looking for a new way in. So why don’t more companies patch these vulnerabilities?
Well it’s really no surprise with everyone seemingly looking to cut costs these days, but most companies simply don’t want to spend the time and money required to implement patches. Because patching can be an expensive, tedious process, and it often interferes with critical business processes and causes issues and often a chain reaction with other software on the system. As a result, many businesses take their time implementing patches to ensure everything will work seamlessly and critical business processes are not affected. But during the WannaCry attacks, the time wasted not implementing the necessary patches was ultimately the downfall for many. So what exactly makes banks better prepared than so many others with regards to patching?
Well, as we mentioned above, the financial sector has been forced to create and implement more specific, in-depth cybersecurity controls than other industries. It’s really no surprise that financial leadership is ahead of the curve when it comes to dealing with emerging cyber threats and the constantly evolving threat landscape. In addition, the Federal Financial Institutions Examination Council actually warned the financial sector back in 2015 about the potential for digital attacks just like WannaCry, and provided a list of actions, frameworks, and control assessments to ensure their preparedness.
As such, when the WannaCry ransomware attack hit, it affected the thousands of companies that had unpatched vulnerabilities in their systems.
Fortunately the vulnerabilities exploited by the WannaCry ransomware attacks did not exist within the financial industry.
Why? Because it has become a best practice that any and all known vulnerabilities that are found by banks are patched and fixed immediately. And what many don’t know is that, more specifically, what actually saved the banks from the attack -- a simple security update.
Back in March of 2017, Microsoft found security vulnerabilities and released an update that fixed or patched the vulnerabilities. And as we alluded to above, the financial industry had the controls in place to implement these updates; unlike the vast majority of organizations that were forced to either pay a ransom to unlock their data or scramble to install the patches over the WannaCry attack weekend to avoid the malware.
Applying one simple Microsoft security update to patch known vulnerabilities could have rendered this attack useless within the networks of all organizations. In addition, for the companies that were affected, a little more digging and research could have led to the kill switch being found faster which could have greatly reduced the spread of the original attack.
However, as we all know, cybercriminals continue to develop more evasive and malicious malware (just take a look at the Petya ransomware attack), and will undoubtedly alter the WannaCry code and search for the next vulnerability to exploit. And while many may see patching as more of a band aid, the fact that banks were able to avoid the effects of the WannaCry epidemic with a simple Microsoft security update shows that patching isn’t just a quick fix for companies.
Creating and implementing an effective security program that includes proper controls and an understanding of risk to ensure critical systems and software are updated takes discipline and consistent internal assessments, however banks have clearly proven that the investment in the right controls including patching can save time and money for the organization and its employees in the short term and customers and the brand in the long term.
Another major advantage for banks when it comes to defense from cybercrime is their overall IT security maturity.
How did the banks’ security posture or control maturity level get to be where it is today? The short answer, is through change control and control assessments.
A control assessment is an essential exercise for organizations to assess the overall effectiveness of both their control and risk management processes. A control assessment will also typically include a vulnerability analysis to define and identify any security holes in the network or communications infrastructure (like the vulnerabilities exploited by the WannaCry ransomware). In addition to these types of prevention techniques, banks have consistently execute penetration tests, to check how well their computers and systems respond to an attack.
Taking a more hands-on, systematic approach and identifying vulnerabilities before managing changes made to any product or system, banks are easily able to determine when their change control and management processes are acceptable, and when action need to be taken to improve the maturity of the process or the organization as a whole. Banks have also spent years improving the maturity level of other critical security controls (CSC) like malware defense, wireless access control, and data recovery capability, which combined with their quick patching efforts have allowed them to progress ahead of other industries when it comes to their data protection and change control processes.
It may have taken banks years of getting hit with the worst and most costly cyberattacks to get to where they are today, but it certainly seems that the lessons of the past have inspired the practices and defenses of today. By placing an emphasis on the most essential security controls and expediting the often tedious process of patching, they were able to largely bypass a major epidemic that struck some of the nation’s most prominent companies and industries.
The ultimate lesson learned is that while the process of patching, executing consistent control assessments, and improving the maturity level of your security controls may seem costly and tedious, the benefits clearly outweigh the cost.