WannaCry, the recent devastating global ransomware attack, is now the largest of its kind in internet history. The attack has breached hundreds of thousands of computers in more than 150 countries, crippling a wide range of enterprises, from hospitals and universities to banks and warehouses.
In order to breach an enterprise, WannaCry and other forms of crypto-malware have been delivered in zip files, documents, or executables from the web, email attachments and on USB keys. Once WannaCry has infiltrated an organization, it moves laterally, holding computer networks hostage until a ransom is paid. I explained exactly how this process unfolded in a recent blog post:
The WannaCry crypto-malware variant uses the EternalBlue vector to move laterally in an organization. EternalBlue exploits a vulnerability in Microsofts implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target. To attack a target, the attacker must be able to reach it crossing the firewall. If a compromised computer has mounted shares or knows how to reach an SMB server, the attacker can use this to propagate from the compromised device to the SMB server.
While the attack is now largely in the rearview mirror, ransomware is still very much a concern among enterprises. WannaCry has created a number of lessons in its wake, and its important we take them into account in order to prevent an attack of this scale from happening again.
The first lesson is that quickly patching vulnerable systems is fundamental to stopping lateral spread in any organization. Next is that WannaCry, which was made possible by a leak of the NSAs hacking tools, served as the latest reminder that the good guys cannot keep vulnerabilities from falling into the wrong hands. But the most important takeaway is that humans will continue to cripple cyber security so long as it continues to play such a prominent role in protecting the enterprise.
Although Microsoft publicly released a patch addressing this specific vulnerability weeks before, the thousands of personal computers displaying the now-infamous red ransom script illustrated few had implemented it as instructed. (Of course, its not just humans that are to blame its the security paradigm. Windows XP users did not have this option since XP has been unsupported for three years.)
As I said in my commentary on the attack, As long as the industry continues to play this neverending cat and mouse game of patchwork systems, sophisticated attackers will easily find ways to exploit the public in increasingly large scale attacks such as this.
At Bromium, we released an industry study just a week before the WannaCry attack that underscored the point that humans continue to be the biggest threat to cyber security. We surveyed security professionals at the premier cyber security event, RSA Conference, as well as sec pros from the U.K. and U.S., and were shocked to find its not just unsuspecting end users we need to worry about, but those tasked to oversee the security operation.
We found that on average, 10 percent of security professionals admitted to paying a ransom or hiding a breach without alerting their team. This means that for every 10 individuals on your team, its likely that one of them has committed this act of subterfuge. (Someone might have even done it for WannaCry.) Keep in mind, these are only respondents who were willing to be forthcoming about their behavior if every security professional came forth about their behavior, I would expect this to be an even more alarming statistic.
There are several reasons why these undisclosed dealings are taking place on such a considerable scale. One is that ransoms typically arent that expensive. While paying $300 takes a cut of your checkbook, it is a small price to pay to maintain your professional reputation.
This leads into the main reason why professionals are hiding breaches: Getting owned is embarrassing. No one wants to face ridicule from co-workers or be reprimanded by their boss. But keeping these secrets from employers puts the enterprise at tremendous risk. Not only have you let someone into the network, but youve left a backdoor for the next breach, which is likely to be more complex. This finding not only speaks to the growing sophistication of cyber attacks, which are fooling those being paid handsomely to prevent them, but also to how we continue to underestimate the role humans play in cyber security.
he study also uncovered another deeply troubling finding: On average, 35 percent of security professionals admitted to bypassing their corporate security settings. No one is surprised when employees avoid security settings (at this point, its a given), but it is disturbing to see irresponsible decisions being made within the security department. When you cant trust whats happening on the front lines, it means the model is broken.
If there is one thing we should take away from the fallout of WannaCry, its that we are overdue for a reset in this industry. There is greater urgency than ever to map trustworthiness into technology, not humans. Cyber security solutions should eliminate human error, not enable it.
Enterprises need to embrace security that takes the burden off the end-user and ensures IT and security teams protect their business assets and data. Of course the positive corollary to doing that is end users go back to getting their work done without constraints placed on them by the security team.
While the potential losses from WannaCry are staggering, my hope is it will be a net positive for the industry that inspires sweeping changes across the board. Human nature is a variable that cannot be controlled, and as this episode demonstrated, it will continue to wreak havoc left unfettered. This attack should serve as a watershed moment that resets the security paradigm and actually embraces human behavior rather than try to change it.
Simon Crosby, co-founder and CTO of Bromium
Image Credit: WK1003Mike / Shutterstock
More:
Human nature Is crippling cyber security - ITProPortal
- Thinking Slowly: The Paradoxical Slowness of Human Behavior - Caltech - December 23rd, 2024 [December 23rd, 2024]
- From smog to crime: How air pollution is shaping human behavior and public safety - The Times of India - December 9th, 2024 [December 9th, 2024]
- The Smell Of Death Has A Strange Influence On Human Behavior - IFLScience - October 26th, 2024 [October 26th, 2024]
- "WEIRD" in psychology literature oversimplifies the global diversity of human behavior. - Psychology Today - October 2nd, 2024 [October 2nd, 2024]
- Scientists issue warning about increasingly alarming whale behavior due to human activity - Orcasonian - September 23rd, 2024 [September 23rd, 2024]
- Does AI adoption call for a change in human behavior? - Fast Company - July 26th, 2024 [July 26th, 2024]
- Dogs can smell human stress and it alters their own behavior, study reveals - New York Post - July 26th, 2024 [July 26th, 2024]
- Trajectories of brain and behaviour development in the womb, at birth and through infancy - Nature.com - June 18th, 2024 [June 18th, 2024]
- AI model predicts human behavior from our poor decision-making - Big Think - June 18th, 2024 [June 18th, 2024]
- ZkSync defends Sybil measures as Binance offers own ZK token airdrop - TradingView - June 18th, 2024 [June 18th, 2024]
- On TikTok, Goldendoodles Are People Trapped in Dog Bodies - The New York Times - June 18th, 2024 [June 18th, 2024]
- 10 things only introverts find irritating, according to psychology - Hack Spirit - June 18th, 2024 [June 18th, 2024]
- 32 animals that act weirdly human sometimes - Livescience.com - May 24th, 2024 [May 24th, 2024]
- NBC Is Using Animals To Push The LGBT Agenda. Here Are 5 Abhorrent Animal Behaviors Humans Shouldn't Emulate - The Daily Wire - May 24th, 2024 [May 24th, 2024]
- New study examines the dynamics of adaptive autonomy in human volition and behavior - PsyPost - May 24th, 2024 [May 24th, 2024]
- 30000 years of history reveals that hard times boost human societies' resilience - Livescience.com - May 12th, 2024 [May 12th, 2024]
- Kingdom of the Planet of the Apes Actors Had Trouble Reverting Back to Human - CBR - May 12th, 2024 [May 12th, 2024]
- The need to feel safe is a core driver of human behavior. - Psychology Today - April 15th, 2024 [April 15th, 2024]
- AI learned how to sway humans by watching a cooperative cooking game - Science News Magazine - March 29th, 2024 [March 29th, 2024]
- We can't combat climate change without changing minds. This psychology class explores how. - Northeastern University - March 11th, 2024 [March 11th, 2024]
- Bees Reveal a Human-Like Collective Intelligence We Never Knew Existed - ScienceAlert - March 11th, 2024 [March 11th, 2024]
- Franciscan AI expert warns of technology becoming a 'pseudo-religion' - Detroit Catholic - March 11th, 2024 [March 11th, 2024]
- Freshwater resources at risk thanks to human behavior - messenger-inquirer - March 11th, 2024 [March 11th, 2024]
- Astrocytes Play Critical Role in Regulating Behavior - Neuroscience News - March 11th, 2024 [March 11th, 2024]
- Freshwater resources at risk thanks to human behavior - Sunnyside Sun - March 11th, 2024 [March 11th, 2024]
- Freshwater resources at risk thanks to human behavior - Blue Mountain Eagle - March 11th, 2024 [March 11th, 2024]
- 7 Books on Human Behavior - Times Now - March 11th, 2024 [March 11th, 2024]
- Euphemisms increasingly used to soften behavior that would be questionable in direct language - Norfolk Daily News - February 29th, 2024 [February 29th, 2024]
- Linking environmental influences, genetic research to address concerns of genetic determinism of human behavior - Phys.org - February 29th, 2024 [February 29th, 2024]
- Emerson's Insight: Navigating the Three Fundamental Desires of Human Nature - The Good Men Project - February 29th, 2024 [February 29th, 2024]
- Dogs can recognize a bad person and there's science to prove it. - GOOD - February 29th, 2024 [February 29th, 2024]
- What Is Organizational Behavior? Everything You Need To Know - MarketWatch - February 4th, 2024 [February 4th, 2024]
- Overcoming 'Otherness' in Scientific Research Commentary in Nature Human Behavior USA - English - USA - PR Newswire - February 4th, 2024 [February 4th, 2024]
- "Reichman University's behavioral economics program: Navigating human be - The Jerusalem Post - January 19th, 2024 [January 19th, 2024]
- Of trees, symbols of humankind, on Tu BShevat - The Jewish Star - January 19th, 2024 [January 19th, 2024]
- Tapping Into The Power Of Positive Psychology With Acclaimed Expert Niyc Pidgeon - GirlTalkHQ - January 19th, 2024 [January 19th, 2024]
- Don't just make resolutions, 'be the architect of your future self,' says Stanford-trained human behavior expert - CNBC - December 31st, 2023 [December 31st, 2023]
- Never happy? Humans tend to imagine how life could be better : Short Wave - NPR - December 31st, 2023 [December 31st, 2023]
- People who feel unhappy but hide it well usually exhibit these 9 behaviors - Hack Spirit - December 31st, 2023 [December 31st, 2023]
- If you display these 9 behaviors, you're being passive aggressive without realizing it - Hack Spirit - December 31st, 2023 [December 31st, 2023]
- Men who are relationship-oriented by nature usually display these 9 behaviors - Hack Spirit - December 31st, 2023 [December 31st, 2023]
- A look at the curious 'winter break' behavior of ChatGPT-4 - ReadWrite - December 14th, 2023 [December 14th, 2023]
- Neuroscience and Behavior Major (B.S.) | College of Liberal Arts - UNH's College of Liberal Arts - December 14th, 2023 [December 14th, 2023]
- The positive health effects of prosocial behaviors | News | Harvard ... - HSPH News - October 27th, 2023 [October 27th, 2023]
- The valuable link between succession planning and skills - Human Resource Executive - October 27th, 2023 [October 27th, 2023]
- Okinawa's ants show reduced seasonal behavior in areas with more human development - Phys.org - October 27th, 2023 [October 27th, 2023]
- How humans use their sense of smell to find their way | Penn Today - Penn Today - October 27th, 2023 [October 27th, 2023]
- Wrestling With Evil in the World, or Is It Something Else? - Psychiatric Times - October 27th, 2023 [October 27th, 2023]
- Shimmying like electric fish is a universal movement across species - Earth.com - October 27th, 2023 [October 27th, 2023]
- Why do dogs get the zoomies? - Care.com - October 27th, 2023 [October 27th, 2023]
- How Stuart Robinson's misconduct went overlooked for years - Washington Square News - October 27th, 2023 [October 27th, 2023]
- Whatchamacolumn: Homeless camps back in the news - News-Register - October 27th, 2023 [October 27th, 2023]
- Stunted Growth in Infants Reshapes Brain Function and Cognitive ... - Neuroscience News - October 27th, 2023 [October 27th, 2023]
- Social medias role in modeling human behavior, societies - kuwaittimes - October 27th, 2023 [October 27th, 2023]
- The gift of reformation - Living Lutheran - October 27th, 2023 [October 27th, 2023]
- After pandemic, birds are surprisingly becoming less fearful of humans - Study Finds - October 27th, 2023 [October 27th, 2023]
- Nick Treglia: The trouble with fairness and the search for truth - 1819 News - October 27th, 2023 [October 27th, 2023]
- Science has an answer for why people still wave on Zoom - Press Herald - October 27th, 2023 [October 27th, 2023]
- Orcas are learning terrifying new behaviors. Are they getting smarter? - Livescience.com - October 27th, 2023 [October 27th, 2023]
- Augmenting the Regulatory Worker: Are We Making Them Better or ... - BioSpace - October 27th, 2023 [October 27th, 2023]
- What "The Creator", a film about the future, tells us about the present - InCyber - October 27th, 2023 [October 27th, 2023]
- WashU Expert: Some parasites turn hosts into 'zombies' - The ... - Washington University in St. Louis - October 27th, 2023 [October 27th, 2023]
- Is secondhand smoke from vapes less toxic than from traditional ... - Missouri S&T News and Research - October 27th, 2023 [October 27th, 2023]
- How apocalyptic cults use psychological tricks to brainwash their ... - Big Think - October 27th, 2023 [October 27th, 2023]
- Human action pushing the world closer to environmental tipping ... - Morung Express - October 27th, 2023 [October 27th, 2023]
- What We Get When We Give | Harvard Medicine Magazine - Harvard University - October 27th, 2023 [October 27th, 2023]
- Psychological Anime: 12 Series You Should Watch - But Why Tho? - October 27th, 2023 [October 27th, 2023]
- Roosters May Recognize Their Reflections in Mirrors, Study Suggests - Smithsonian Magazine - October 27th, 2023 [October 27th, 2023]
- June 30 Zodiac: Sign, Traits, Compatibility and More - AZ Animals - May 13th, 2023 [May 13th, 2023]
- Indiana's Funding Ban for Kinsey Sex-Research Institute Threatens ... - The Chronicle of Higher Education - May 13th, 2023 [May 13th, 2023]
- Have AI Chatbots Developed Theory of Mind? What We Do and Do ... - The New York Times - March 31st, 2023 [March 31st, 2023]
- Scoop: Coming Up on a New Episode of HOUSEBROKEN on FOX ... - Broadway World - March 31st, 2023 [March 31st, 2023]
- Here's five fall 2023 classes to fire up your bookbag - Duke Chronicle - March 31st, 2023 [March 31st, 2023]
- McDonald: Aspen's like living in a 'Pullman town' - The Aspen Times - March 31st, 2023 [March 31st, 2023]
- Children Who Are Exposed to Awe-Inspiring Art Are More Likely to Become Generous, Empathic Adults, a New Study Says - artnet News - March 31st, 2023 [March 31st, 2023]
- DataDome Raises Another $42M to Prevent Bot Attacks in Real ... - AlleyWatch - March 31st, 2023 [March 31st, 2023]
- Observing group-living animals with drones may help us understand ... - Innovation Origins - March 31st, 2023 [March 31st, 2023]
- Mann named director of School of Public and Population Health - Boise State University - March 31st, 2023 [March 31st, 2023]
- Irina Solomonova's bad behavior is the star of Love Is Blind - My Imperfect Life - March 31st, 2023 [March 31st, 2023]
- Health quotes Dill in article about rise of Babesiosis - UMaine News ... - University of Maine - March 31st, 2023 [March 31st, 2023]