Think back for a second to the late 1990s (if you were alive and in the workplace), when every so often the nightly news included some vaguely apocalyptic sounding reference to a computer virus sweeping the globe. It was inevitably some flaw within the Windows Operating System and once addressed, we’d breathe a sigh of relief and move on until the next wave of malware crashed onto the shore.
Overtime, anti-malware protection became better and so did Windows and other OS. Built-in protections like Address Space Layout Randomization (ASLR) made it more difficult to exploit OS flaws, so hackers began to target the next big thing – Web applications – that lend themselves to targeted attacks instead of serving as a cyberweapon of mass destruction.
Now, in one stunning attack, we’ve been transported back to the 90s and the days of mass attacks. In one 24-hour period, the ransomware attack known as WannaCry impacted 10,000 organizations and 200,000 individuals in at least 150 countries. The attack exploited known flaws in Microsoft XP, an OS that went end-of-life OS 2014 but is still a mainstay of many business and personal computers.
There are almost too many takeaways from this attack, but one of the primary realizations has to be that our current system of patching known flaws and protecting against Zero Day attacks simply does not work. And the hackers creating the next WannaCry-style attack know that.
Every security professional is aware—but perhaps their bosses do not fully appreciate—that modern software is riddled with flaws that allow hackers to be successful. Each time a patch is released, it’s a sprint to see who reaches the finish line first: the security teams applying an update or the hackers who immediately add the new exploit to their automated scanners seeking vulnerable systems to attack.
Whether end-point or server side, the problem is the same. No human can keep pace with the number of vulnerabilities discovered and patches required to keep systems secure in a reasonable timeframe, at a reasonable cost. The time to fully implement a patch could be weeks, months, or years depending on the amount of custom code and the complexity of the software (and organization).
Then, there is the related issue of unsupported software that is at the core of mission-critical processes and applications, especially in large enterprises. The exception to the rule is the organization that has all current version software and is fully up-to-date with security patches. There is no readily available quantitative data that defines the scope of this issue, but anecdotal evidence abounds.
In the WannaCry attack, the nexis of the attack was a known flaw in Microsoft Windows XP. Wildly popular and widely used, Windows XP sunset in 2014 after 12 years, but it remains in use and the recent attack prompted Microsoft to re-open the long dead software to issue a patch along with Windows Server 2003.
You can find the same issues with Java- and .NET-based web applications. Large enterprises especially get locked into a loop where they can’t update the underlying platform – say, Java 6 to Java 7 (or 8) – without breaking the application. They can’t upgrade the application without upgrading the platform. They can’t rewrite the application without spending months (or years) and millions of dollars. And so the applications continue to run on out-of-public support platforms with vulnerable code that can be exploited.
I routinely tell people that, as a community, we don’t have a problem identifying vulnerabilities. We have great tools to do that. What we have is a problem securing new and older vulnerable software.
We need to dramatically accelerate the transition to the next set of solutions that can address these issues through automation, virtualization, microservices, and other proven and emerging technologies. The burden of patching can be dramatically reduced and the useful life of software can be extended – all without the time-consuming action of updating code.
It’s these newer technologies that will send mass attacks back to the 1990s where they belong.