The recent WannaCry ransomware outbreak clearly identified the importance of keeping operating systems and other apps up to date to protect against identified vulnerabilities. Given the high level of news publicity it is likely that a lot of us went home and updated our home PCs and also checked with IT departments to make sure they had done the same with company machines. The outbreak, in my opinion, highlights a number of critical issues.
The vulnerability in this case had been previously identified and a patch made available by Microsoft, as such had all machines in the world been patched the impact would have been minimal. But what if the vulnerability had not have been previously identified? Had this been the case the attack could have been considered as a “zero-day” attack as it would have been on an unidentified vulnerability. This would therefore have required the identification of the vulnerability followed by the coding and release of a patch, all post the initial infection. In this case the impact of the ransomware would likely have been much more significant than it was.
The WannaCry Ransomware was specific to machines running Microsoft operating systems. This has already resulted in a number of comments online suggesting people make use of Linux or Apple as these weren’t affected, suggesting that these may be safer systems. As an operating system Microsoft has the predominant share of the desktop and laptop markets although the specific figures are difficult to ascertain. This makes Microsoft machines a preferred target as there are simply more machines to attack. Although there are differences in how the operating systems are managed, with Apple using a very closed development process and Linux using an open source approach, Apples OS, Linux and also Microsoft OS’s are all equally complex. It is in this complexity that lies the risk of as yet unidentified vulnerabilities with equal risk across all the above OS’s. The difference currently lies in the fact that Windows is the most common desktop OS, however if we were all to go out and buy an Apple or install Linux, it is likely the threat of attack would follow the masses.
My final issue is that of the devices we don’t give much thought to. We think about the operating system of our laptop or desktop and even these days of our phone, and in thinking about these we carry out, or not, the required updates. Our homes however increasingly contain more and more internet enabled devices and I would suggest we don’t give these the same level of thought. My router, with which I connect to the internet, runs software in order to allow it to connect, to allow it to present an admin page along with providing other functionality. This software is basically its operating system. Your SMART TV runs an operating system which allows it to respond to your voice commands, search the internet and also carry out its other functions. Your web connected home surveillance system runs an operating system which allows it to connect to cameras around your house and to allow you to connect in to view footage remotely, again, along with other functions. And what about your wireless printer? The above is the tip of an ever growing iceberg, however do we know how to upgrade the software in these devices to protect against identified vulnerabilities? Do we know whether these devices automatically update or how to change the update settings? Do we know how to check the version number or when the last update was done?
Microsoft called the recent attack a “wake up call”. I tend to agree. We need to be more aware of the implications of the use of each technology item, be it hardware or software. We need to be aware of the risk to which usage exposes us as well as the precautions which we need to take.
My biggest take away from the whole incident is a reminder of what Nassim Taleb described in “The Black Swan”. On Thursday 11th May all was well, systems were generally safe and precautions were in place. Largely we didn’t expect a serious whole world cyber incident. By the following day it was clear all was not well and that significant vulnerabilities existed. A global cyber incident was underway. A lot changed in a day and we didn’t do too well at predicting and preparing for it. What shape will the next incident take if we can’t predict it? And are those areas where we believe we are the safest those which are most at risk given we are unable to predict the unexpected?