WannaCry: Don't Believe the Hype
The media hype machine has gone into overdrive about WannaCry. It made the US national televised news. It’s in my family’s Twitter feed. It’s got sponsored ads from countless security companies. It’s officially “big” news.
But many have gone way over the top with the excitement about this attack. This isn’t game over for businesses. It’s just another in a series of exploits and attacks that are making their way into mainstream news.
Interestingly, many “regular people” have approached me over the last couple of days and asked me about the attack. “You work in security—Is this the worst thing ever? Is it unstoppable? How much money do you think these attackers are making?” Conversations with security minded folks tend to focus more specifically, “I’ve patched my systems, but how do I know I’m covered? Can I test to be sure?” (The short answer to that last part is yes. Testing is critical here, which is why SafeBreach Labs worked hard simulating these attacks.)
But people also just want to also know why this attack has garnered so much attention. The truth is, this isn’t a particularly sophisticated attack. In fact, I think it’s popular for all the wrong reasons:
It’s easy to explain
It’s widespread, and seems relentless
Regular people don’t trust “The Internets”
So besides the fact that it’s got all the high-drama things a story needs to make news, what’s really going on with WannaCry? While it’s certainly not good, this attack is really quite simple, and not much different from thousands of other attack campaigns that use worm-like behavior to infect many machines. Remember Conficker? Well What’s old is new again.
Worms are bad. Ransomware is bad. Stopping business, especially when literal lives are on the line, as in healthcare, is much, much worse. In no way am I suggesting that WannaCry isn’t a real threat. But it isn’t that novel, and it isn’t that sophisticated. Yet it still works.
And that’s the real lesson for all of us.
If we allow ourselves—through lack of proper patching, and inability to validate our security controls—to fall victim to these simple attacks, we should expect this kind of news to continue. The sensational headlines are masking the real issue: This is not a new problem. This is not a novel crime. It’s one we can get ahead of. We just need to realize that the power is in our hands.
It’s time to get proactive. Let’s get patching! And let’s also start validating security controls after a patch, update, config change. Let’s break this cycle of headline hype, and get back to business as usual!