Here's what I’m reading this week:
Tired of Wanting to Cry Yet? It’s impossible to talk about cybersecurity over the last week without considering WannaCry, the malware that exploded onto the world scene last Friday, and then vanished with a whimper early this week. There has been a massive amount of digital ink spilled about WannaCry already, so I will confine my contribution to the following point.
WannaCry isn’t the real problem. It isn’t even the only major malware epidemic to exploit the underlying SMBv1 vulnerability. And the SMBv1 vulnerability isn’t the problem either, although it is the symptom. The real problem is that we have seen other vulnerabilities like WannaCry (Heartbleed, anyone?), and we will see more. If organizations can’t keep up with these threats when they have a two-month time window, we have a serious problem.
Patching is obviously the only long-term solution, but patching in today’s world of increasingly complex systems just isn’t well-suited to rapid response. Evaluating all the implications of patching a system, and then doing it in a way that works, often takes time. If you do it faster, you don’t just risk breaking something – you risk creating greater complexity as you lay patched systems over other systems, which is where these vulnerabilities come from in the first place.
Rather than focusing just on patching everything as fast as possible, we should be breaking the problem down into its component parts – why not just block SMB where it isn’t being used, then patch the remaining systems? This focuses the problem, and reduces the number of systems we have to patch quickly. Maybe it even makes sense to block SMB everywhere temporarily to give security teams time to patch at a slightly more reasonable pace. This would interfere with network file-shares, but a temporary service degradation might be better than not getting patches up in time or doing a slipshod job.
There will be more of these, so we’ll have plenty of chances to refine our approach. We just need to remember that patching isn’t the only tool security teams have, even if it is a vital one. And it works better if you combine it with other tools so that you have the time to get it right.