By now, everyone has heard about WannaCry, the ransomware attack that made headlines on Friday 12 May and continues to show up in various forms.
Today, this ransomware has impacted more than 200,000 systems in what was a virulent campaign, with Microsoft Windows vulnerabilities being targeted in the Microsoft Server Message Block (SMB) v1.0 protocol. As predicted, organisations will continue to observe different variants of the initial dropper in the wild that are leading to further WannaCrypt ransomware infections.
From all of this, one question remains: how, with organisations spending millions a year on security infrastructure, could such an attack be carried out on such a vast scale? In order to provide a definite answer, we must analyse the past and how we got to where we are today.
When the network was the computer
Before the new millennium, Sun Microsystems coined the phrase, “The network is the computer,” and it perfectly encapsulated the era in which the local area network reigned. The state of the art in computing was in the power of sharing resources such as file and print servers on a LAN. Protocols including Microsoft's Server Message Block (SMB) were developed primarily for LAN environments with an explicit assumption that the internal network was safe and protected from the outside.
Today's corporate networks and, sadly, the current remote access VPNs connect networks together – which is no longer an ideal situation but a potential attack vector. This common infrastructure means that even if users are sitting at home and connected on a VPN, they will still become victim to a SMB (Server Message Block) scan- the main protocol that enabled the rapid proliferation of the WannaCry malware. Once the WannaCry “worm” had breached the corporate network, it propagated laterally joining the dots from one internal unpatched Windows system to another. So, in a world where everything is connected, for good reason, how do we stop the WannaCry “worm” from moving pillar to post and causing devastating damage?
The Internet is the new corporate network…
We first must acknowledge, when it comes to the network that the cloud has changed everything. Applications are in the cloud, data is stored in the cloud, and users are accessing resources from everywhere, making the internal network barely distinguishable from the external network.
The security infrastructure built to protect the internal network no longer works when the people and assets that used to be on that network have gone. An entire re-think is therefore necessary if we are to remain secure.
The solution to stop the WannaCry “worm” is to have true isolation. A network is a means for clients to find servers, or users to find applications. Any more trust in the network is bound to lead to more doom and gloom than we currently face. Putting authentication and access controls ahead of any asset discovery — which is a big piece missing in DNS, SMB, SRV and port scan — ensures that lateral movement can happen only if authentication has been granted. No granted lateral movement means no multiple infections.
The mechanism of authentication before discovery is the basic building block for ensuring that traffic is initiated only by a client to a server, and never the other way around. In this scenario, a PC getting hacked without the user knowing becomes far more difficult. Should a breach occur, the infected machine, which isn't connected to the corporate network, will no longer be contagious ensuring it cannot infect any other clients or servers that were not mounted.
Re-thinking the traditional
To take the fight back to WannaCry, organisations must enforce user authentication and access controls before any systems are accessed; users are mobile and their access should be based on who they are, not what network they are on. In addition, firms must continue to ensure advanced threat prevention techniques like sandboxing are in place for all Internet traffic moving forward. Ensuring data centre firewalls restrict inbound connections to corporate resources is also a key technique that must be implemented to ensure security against these evolving threats in the longer term.
Now more than ever, organisations must treat the Internet as the corporate network and apply security and access controls accordingly.
Only when the industry begins to rethink the network and re-evaluate best practices will adequate security be in place to protect corporate assets and the ultimate health and longevity of businesses worldwide.
Contributed by Jay Chaudhry, CEO, chairman and founder, Zscaler
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.