In the aftermath of WannaCry, our concept of the network has to change
By now, everyone has heard about WannaCry, the ransomware attack that made headlines on Friday May 12th and continues to show up in various forms. In a nutshell, this ransomware has impacted more than 200,000 systems worldwide and its variants are likely to continue to cause problems.
With organizations spending millions a year on security infrastructure, how could such an attack be carried out on such a vast scale? To answer that question, we should look at the past.
Well before the new millennium, Sun Microsystems coined the phrase, “The network is the computer,” and it perfectly encapsulated the era in which the local area network reigned. The state of the art in computing was in the power of sharing resources such as file and print servers on a LAN. Protocols including Microsoft’s Server Message Block (SMB) were developed primarily for LAN environments with an explicit assumption that the internal network was safe and protected from the outside.
Which brings us to this week’s news about the global WannaCry attack, which owes its rapid proliferation to SMB. Once the worm had breached the corporate network, it propagated laterally from one internal unpatched Windows system to another.
The Internet is the new corporate network…
The cloud has changed everything. Applications are in the cloud, data is stored in the cloud, and users are accessing these resources from everywhere, making the internal network barely distinguishable from the external network. The security infrastructure built to protect the internal network no longer works when the people and assets that used to be on that network have gone.
We have to treat the Internet as the corporate network and apply security and access controls accordingly. And as we rethink this network, we must focus on some core best practices:
- Enforce user authentication and access controls before any systems are accessed; users are mobile and their access should be based on who they are, not what network they are on
- Turn on advanced threat prevention techniques like sandboxing for all Internet traffic
- Ensure data center firewalls restrict inbound connections to corporate resources
- Manage policies centrally without exception to ensure that a user’s policy follows them
The Zscaler threat research team (ThreatLabZ) addresses these issues in the context of WannaCry and ransomware in a series of thought-provoking blogs: