Reactions to WannaCry Ransomware

Here are some quick thoughts on the WannaCry ransomware threat that emerged this past Friday [L.A. Times, Bloomberg, etc], as I get ready for the work week.

  • I wouldn’t want to be the person in the office of the CISO who wrote a security exception for Windows XP this week
  • The Shadow Brokers disclosure of this vulnerability isn’t what enabled this attack, it’s the lack of disclosure from everyone who knew about it but didn’t tell Microsoft.
  • It sure would be nice to have an easy way to see what computers are and aren’t patched against the vulnerabilities swiped from the NSA toolkit. Or to work for a software company that sold a solution that could give you that information (I don’t).
  • PAN discussed how the attack spreads after getting past a perimeter. I’d encourage anyone with a micro-segmentation solution to make sure that they’re mitigating the methods of attack spread.

Angel Villar Garea, a VMware Systems Engineer, has a video out on how to block the spread using NSX.

How about physical machines? While platforms like NSX provide increased security via hardware VTEPs, I don’t think we yet have a mature way to push down security controls to the physical switch that the desktop is plugged into. Or the WiFi router. Again, in my view, the strength of a platform like NSX is it’s ability to integrate with next generation physical firewalls from other vendors to extend security policies to the physical world.

WannaCry is only the latest ransomware to come along. It’s probably only the first to leverage to tools from the Shadow Brokers leak of stolen US Government zero-day attacks. What are you doing in your organization to block the next one?

Photo by bbearnes