Gartner Blog Network

After WannaCry, what next?

by Jonathan Care  |  June 12, 2017  |  Submit a Comment

WannaCry (using the purloined exploit kit ETERNALBLUE) was paused, for now.  Heroic efforts from security practitioners around the world (and a congratulations to @malwaretech for finding the “kill switch” domain!) So, what’s next?

In a word, Linux.

Expanding on that, we must be aware of the many embedded systems that use linux. Include routers, POS terminals, lots of medical equipment, TVs, cameras, and pretty much every smart device you can think of, as well as web platforms in the cloud and within the organisation.
Open Samba ports
This graphic is from a Shodan search, taking a look at the machines running Linux with open Samba ports. There are a lot reported out there (and probably more obscured from a simple scan view).  Recently, news appeared online of a younger sibling for the sensational vulnerability ETERNALBLUE. The story was about a new vulnerability for Unix and Linux-based systems – ETERNALRED (aka SambaCry).  This vulnerability has been in existence since 2010 and has only recently been fixed in the latest distribution releases.

Kaspersky are reporting that their honeypots are picking up malware using ETERNALRED and this time, instead of ransomware, the payload is cryptocurrency mining.

What you need to know

  • Are many organizations still vulnerable to new variants exploiting this vector?

Unfortunately so. the map to the right shows how many linux machines globally are potentially vulnerable. Similar searches can be done for Windows (and as we now now, its not only WindowsXP that is vulnerable).

  • Top questions from clients after Wannacry?

WannaCry brought home to all of us that the basic hygiene factors of IT Security still matter, and that vulnerability management, ensuring critical patches are applied (or isolation of vulnerable systems), and of course, reliable and resilient backups still matter.

  • What are the challenges people are most worried about now?

One question that is on the radar of many CISOs is to how to examine their security stance given the undeniable evidence of advanced attacks which are increasingly being attributed to hostile nation-state attackers. It’s clear that the role of the CISO has evolved from being initially the defender of the castle walls, to becoming the digital firefighter, and now must become the leader who ensures business survivability in the face of attack. Gartner’s Adaptive Security Architecture is a great model to consider.

  • Any particular industries or types of company that are most affected?

Industries across the board are vulnerable. I’ve talked above about IoT, web applications, cloud, and as we’ve seen in ETERNALBLUE there are many vulnerable systems out there that have been forgotten. We have to take action and control, no matter what industry we’re in.

  • Can we explore more about the long term steps to ensure ongoing protection against similar attacks?

Long term, it’s definitely a case of making the realisation throughout the organisation that these advanced attacks are the new normal. It’s about adopting the Predict, Protect, Detect, Respond mindset that is outlined in Gartner’s Adaptive Security Architecture. This means making sure that:

  1. Basic infrastructure protection steps are taken.
  2. Application Development follows a secure development lifecycle
  3. Fraud managers are vigilant for misuse of organisational brand in phishing campaigns
  4. Incident responders are trained, ready and empowered to deal with crisis situations and are also able to move the organisation back from crisis into normal operation.



Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: blockchain  breach  cybersecurity  malware  

Jonathan Care
Research Director
1 years at Gartner
22 years IT Industry

Jonathan Care expertise includes payment systems, cybersecurity, fraud detection and prevention applications, authentication, identity proofing, identity theft, and insider threats. He also covers the PCI compliance program, tokenization and the security aspects of payment systems. Read Full Bio

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.