photo by Christiaan Colen
Security experts have long warned that any system can be hacked if targeted with sufficient resources.
Most of them are too busy mopping up the damage of the “WannaCry” ransomware attacks to take much pleasure in saying they told us so, but at least they have a memorable anecdote to drive home such warnings in the future.
The ransomware attacks, which have so far affected over 150 countries, used tools that researchers believe were stolen from the National Security Agency. The malicious software encrypted files on infected computers and demanded a payment in bitcoin for their return. If the payment arrived before a deadline, the files would be decrypted; otherwise the ransom amount would increase and, eventually, the hackers would delete the files.
Online security breaches on a small scale are a recurring hazard of modern life. In February, news broke that content delivery network CloudFlare accidentally leaked customer data, prompting services such as Uber, FitBit and OKCupid to urge users to change their passwords to ensure their accounts remained secure. In April, the business chat program HipChat informed users that a vulnerability in a third-party library it used had made its customers vulnerable; the developers automatically reset all user passwords and promised to follow up with any customers whose data may have been compromised. On a larger scale, in early May a sophisticated phishing attack targeting Gmail users was passed from user to user like a nasty case of flu.
But the global ransomware attacks dwarfed other recent breaches. The Wall Street Journal reported that the last comparable cyberattack was the Conficker worm, which wreaked havoc in late 2008. This is partially because worms, which automatically spread to each new computer they connect with, fell out of favor as hackers found targeted attacks more productive and less conspicuous. Using a worm to spread ransomware is a new and worrying approach, computer security experts have said.
A researcher in the U.K. managed to drastically slow WannaCry’s spread by discovering and activating a “kill switch” built into the software. Yet he and other technology experts have warned that the attackers could easily build a workaround if they chose, suggesting that vulnerable systems could still be at risk. Copycat software, too, is a real concern. In the meantime, the ransomware hit targets as widespread as British hospital systems, the French automaker Renault SA, a swath of Chinese gasoline stations and FedEx Corp.
Some business owners and managers may be disheartened by repeated high-profile attacks like the recent outbreak of ransomware. If even the NSA cannot keep its top-secret tools out of hackers’ hands, what hope do other organizations and individuals have? Yet that is the wrong lesson, or at least an incomplete one. A very talented thief could theoretically break into even the most secure building, but many if not most thefts are pure crimes of opportunity. In the same way, perfect online security is not possible, but most enterprises – especially those that are smaller and do not carry a high profile – can take measures to make themselves less inviting targets and to keep their data relatively safe.
The most basic precaution is one everyone knows but not everyone puts into practice: Back everything up. Businesses should back up data comprehensively, regularly and frequently. Moreover, it is wise to back up to multiple locations. For instance, businesses may back up data to both the cloud and physical drives that can be kept off-site. In many cases backups should also be encrypted, in case they fall into the wrong hands.
A recent and complete backup will render ransomware in particular much less fearsome, since the potential loss is minimized. Most experts recommend (as with other sorts of hostage-taking) that targets resist meeting hackers’ ransomware demands. Some of the reasons carry over from other types of hostage situations; businesses will not want to label themselves as “soft targets” for future attacks and should not fund further criminal activity by giving in to ransom demands. In addition, a recent report found that many organizations that paid ransoms – nearly one in three of those studied – still did not recover their files. The best way to deal with ransomware is to prepare long before any computer in your system is infected.
In addition to creating backups, organizations should take care to keep all software up to date. The ransomware attacks exploited a Microsoft Windows flaw – one that Microsoft issued a patch to fix as far back as March. Many organizations remained vulnerable, however, for a few reasons. Many enterprises do not allow operating systems to update automatically, as individual users’ machines typically do. Because these organizations fear such patches could create systemic problems, they carefully test new patches before applying them. In this case, the problem with waiting over eight weeks to apply a security fix is sadly self-evident.
The other major problem was that Microsoft does not routinely issue security patches for older versions of Windows, including Windows XP. While Microsoft has not sold Windows XP for over a decade, many large organizations worldwide continue to use it. Microsoft does offer “custom support” for out-of-date platforms, but the service is expensive and many organizations do not bother to pay. Any Windows user with an out-of-date operating system can now download the patch, though it will not remove the malware from infected computers. Keep your operating system up to date, and when weighing the cost of switching to a new system, factor in the price of keeping an older system secure.
Operating systems are not the only software that requires security updates, either. Applications, routers and other hardware, and even internet-ready devices like security cameras and thermostats should be promptly and regularly updated. Many manufacturers of such devices do a poor job of updating software to address security holes, but when a patch is available, use it.
Of course, no discussion of data security would be complete without touching on passwords. Experts regularly advise using a unique password for every site. Given the number of logins the average internet user requires, though, it is impossible for the average person to memorize that many passwords and unreasonable to expect them to try. Luckily, technology exists to address this dilemma.
Cryptography techniques like hashing, with or without the use of a “salt” to further randomize the input, allows organizations to make even a laughably insecure password like “123456” harder for an automated tool to crack. HipChat, for instance, uses the bcrypt algorithm to obscure user passwords. Such tools are generally employed on the vendor side in order to keep users’ data secure.
Tools also exist on the user end to solve the problem of keeping track of passwords without compromising security. Password manager software can automatically generate complex and unique passwords across a variety of services. These applications solve the problem of simple or duplicate passwords, and circumvent the dreaded “sticky note on a monitor” method. Security token authentication is another option, used by itself or in tandem with a password manager. Multi-factor authentication combines passwords with a one-time message to a phone, a rolling token on a USB stick, or even a biometric measure such as a fingerprint or retinal scan. Such systems make it much harder for hackers to gain access through a data breach or brute force password attack.
Combining password security tools on the user and vendor sides, along with the use of additional protection such as firewalls or network security devices, is an example of “defense in depth.” Even deep defenses can be cracked with enough effort, but many prospective intruders will just seek easier targets.
As technology advances, organizations should remember to account for human fallibility. Whether it means clicking on an emailed link they should not have or failing to update an operating system promptly, people make mistakes that can compromise security. Taking as many protective steps as possible, in advance, can reduce the risk of wanting to cry later.