Shadow Brokers lessons: First, don’t panic
When security experts pored over the latest cache of stolen NSA tools, they saw a catastrophe. The Shadow Brokers had included compiled binaries exploiting vulnerabilities in multiple Windows operating systems, including Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012.
“This isn’t a data dump, this is a damn Microsoft apocalypse,” Michael Hickey, co-founder of British security consultancy Hacker House said on Twitter.
A security researcher confirmed via email that the exploits worked, meaning that this Friday surprise was shaping up to be a serious headache for Windows administrators. Then came the twist: The same security researcher reached out a few minutes later to note he was unable to replicate his findings.
We now know why—because Microsoft had already patched the vulnerabilities, so the exploits didn’t work on updated systems. Only those tools targeting end-of-life platforms like Windows XP, Windows Server 2003, and IIS 6.0 still worked because those platforms no longer received security updates.
This pattern of panicked frenzy followed by cooler heads realizing the situation isn’t so bad is becoming all too familiar. The same cycle happened a few weeks ago when WikiLeaks released its Vault 7 hacking tools allegedly used by the CIA. There’s a lesson here for IT and security teams, and it has nothing to do with hacking tools: Stick to the security basics, and you can skip the panic.
Patch, patch, patch
Install security updates as soon as they are available. Everyone knows this rule, but there’s a reason why it’s repeated ad nauseum. The lag time between when patches are released and when systems are updated is still too long. Too many systems get compromised because a year-old update was never applied, not due to a zero-day vulnerability.
Many enterprises require some time to test and prepare the patches and thus can’t deploy them the day they are released, but IT teams should try to roll them out within days or weeks, not months.
Sometimes the delay is due to organizational politics, and it’s out of IT control. Perhaps the server is considered too critical to risk downtime as part of a scheduled maintenance window. Perhaps business stakeholders refuse to update software because they rely on a specific feature that’s available only in an older version of the software. These recent disclosures provide a clear illustration of why patching matters —and why it works—so the time is ripe to win internal support for a more responsible patching policy.
Don’t hang onto legacy products
Nine of the exploits the NSA tools targeted applied to currently supported versions of Windows, and five hit vulnerabilities that had been patched years ago, with one dating back to October 2008 and another before the release of Windows Vista in 2007, according to Microsoft’s analysis of the situation. The remaining four exploits were patched in March.
The three exploits that targeted vulnerabilities in platforms that were no longer supported, including Windows XP, Windows Server 2003, Microsoft Exchange 2007, and IIS 6.0, were the part of the Shadow Broker dump that posed a real IT problem. These exploits don’t affect Windows 7 and later or Exchange 2010 and newer.
“Customers still running prior versions of these products are encouraged to upgrade to a supported offering,” Phillip Misner, the principal security group manager at Microsoft Security Response Center, urged in the advisory. Microsoft ended extended support for Windows XP in April 2014, Windows Server 2003 and IIS 6.0 in July 2015, and for Exchange 2007 this month.
When Windows XP entered end-of-life, security experts warned holdouts that refused to move to newer platforms would be at risk for future attacks since there will be no more updates for the platform. That is exactly what’s happening here. Now that the prospect of older platforms being targeted is no longer only speculation, IT and security teams need to protect lingering legacy systems or develop a plan to finally migrate the applications to a more modern and secure alternative.
IT needs to pay attention to these dates and make plans instead of hanging on to legacy platforms long past their expiration dates. Microsoft ended support for Windows Vista, and Windows 7 is out of mainstream support, although extended support won’t end until January 2020. Microsoft will end mainstream support for Windows 8 in January 2018. Keep these dates in mind.
Know what you have
IT needs to know whether it has have legacy systems in the infrastructure, how they can be reached, and who has access to them. There needs to be clear visibility on the operating systems and software installed so that IT knows which ones need to be updated when patches are released. A complete and detailed asset inventory means IT has less reason to scramble to find out whether the latest vulnerability disclosure affects the organization.
Cybercriminals rely on the lag time between when updates are available and when they are actually applied to carry out their attacks, and government hackers aren’t so different.
Last year, Rob Joyce, the head of the National Security Agency’s elite hacking group Tailored Access Operations, downplayed the importance of zero-days in a Usenix Enigma keynote, saying, “Take these big, corporate networks, these large networks, any large network—I will tell you that persistence and focus will get you in, will achieve that exploitation, without the zero-days,” Joyce said. “There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.”
Skip the mental whiplash next time. Don’t worry so much about the zero-days. Instead, get the basics down.