Josh Zelonis is irritated. The senior analyst at Forrester Research got more frustrated every day that he read coverage of WannaCry, the ransomware strain that ravaged the Internet last month.
Much of the public conversation focused on the NSA, arguing that it shouldn’t have let hackers (a mysterious group called the ShadowBrokers) steal its treasure chest of tools. Zelonis says that the NSA is a red herring.
Companies shouldn’t be blaming the Agency, he says. The theft and subsequent disclosure of NSA tools that exploited the vulnerability code may have made it easier, but it certainly wasn’t necessary, he argues. “This didn’t have to come from a ShadowBrokers drop.”
“One of the chief complaints I have about what happened is that Microsoft released a patch for this over 60 days ago, on March 14th,” he says. “At this point in time, the entire security industry was aware that there was a remote code execution vulnerability in SMB.”
In many cases, IT staff won’t have access to these systems, and their vendors won’t touch them. “In a 24/7 environment, how do you patch systems that you rely on that you don’t have access to? There are vendors that sold the equipment 10-15 years ago and may have gone out of business,” he adds.
James Scott, senior fellow at the Institute for Critical Infrastructure Technology in the US, agrees, calling healthcare one of the most vulnerable sectors.
“They have more Frankenstein IoT microcosms at each organisation, so even if they have a more secure part of their network, it may be made insecure by a vulnerable device that has been plugged into that network and has no security on it,” he says. That becomes a critical injection point for malware.
Even patching equipment other than non-specialist medical devices can cause problems, though. In Australia, health authority Queensland Health inadvertently shut down the electronic health record systems at its hospitals after installing several software patches from firms including Microsoft, Cerner and Citrix, said to combat WannaCry. The incident sent ward patients back to using pencil and paper, reports said.