Agencies dodge WannaCry bullet, but legacy IT still jeopardizes networks

Clark Campbell is vice president for public sector at BDNA, a provider of enterprise IT data solutions.

Federal agencies’ networks emerged from the WannaCry ransomware attack in May relatively unscathed, largely because of policies requiring swift installation of critical software patches. But agencies should not take comfort from that.

Many federal networks today, wittingly or not, host countless known cyber vulnerabilities that serve as enabling access points for ransomware and other attacks. In fact, on May 11, the day before WannaCry was unleashed, the White House underscored this point in a new executive order on cybersecurity.

“Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies,” declared President Donald Trump’s “Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” “Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.”

Advertisement

The vulnerability at the root of WannaCry, which affects older versions of the Microsoft Windows operating system, was known and understood within the cybersecurity community when it came on the scene. Microsoft even took the unusual step of releasing a critical advisory and security patch to fix this vulnerability in its older software products two months before WannaCry emerged.

A quick and compliant response to that Microsoft advisory appears to have spared federal networks from WannaCry’s damage. But that was a special case. Microsoft and other IT vendors don’t normally issue such special warnings or patches on older software. Organizations using software and hardware that is end-of-life (EOL) or end-of-support (EOS) are typically on their own to defend themselves.

I have worked with dozens of federal agencies that have conducted IT asset inventory scans on their networks, and they typically find from 35 percent-to-55 percent of their hardware and software assets are EOL or EOS. Federal officials are aware of this problem and are highly concerned, as the new cyber executive order illustrates. Former federal Chief Information Officer Tony Scott said that more than $3 billion in federal IT assets will become EOL between 2016 and 2019.

White House Cybersecurity Coordinator Rob Joyce said he was surprised that the WannaCry attack did not compromise federal systems given how outdated many of them are.

“If you told me a week ago that we’d have some massive worm and it would be pervasive on old technology and effective in that space … I would have told you, ‘We’ll absolutely suffer under that,'” he told reporters.

It’s important to understand that the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back years in many cases, and federal networks are rife with outdated assets that carry these vulnerabilities. These vulnerabilities continue to be successfully exploited by hackers and malware because EOL and EOS software and hardware continue to live on many organization’s networks, either with or without the knowledge of IT staff.

Many federal agencies do not proactively manage end-of-life network assets for various reasons. They may be reluctant to spend limited resources on something that works, even if it is nearing or past its end-of-life date. They may be simply unaware of all the EOL and EOS assets on their networks. Or, refreshing IT assets may take a low priority in the eyes of senior leadership when competing against other agency projects.

Whatever the reason, organizations are sure to face higher costs and risks if they fail to establish and follow a disciplined process to transition end-of-life devices out of their network. Effectively managing EOL/EOS software and hardware requires that agencies adopt sound cyber hygiene practices and employ actionable data in their cyber risk-mitigation activities.

Cyber hygiene refers to the practices that agencies and their employees work into their day-to-day routines that greatly reduce opportunities for cyber attackers to be successful. Cyber hygiene includes well-known practices such as using high-quality passwords and changing those passwords regularly; installing security software on digital devices; patching and configuring software as needed; and training employees on proper cyber etiquette. But it also includes proactively replacing IT assets before they become EOL or EOS and continuously ensuring that IT assets meet agency security policies. IT research firm Gartner has said that organizations that anticipate the obsolescence of IT assets and employ asset life-cycle management can reduce costs, increase utilization and improve asset performance while improving overall budget predictability.

How do organizations know what assets they have on their networks that are approaching or past their EOL and EOS dates? They employ actionable data, which is machine-derived intelligence that guides federal security staffs in their risk-mitigation efforts. A big problem many agencies have today is an overabundance of IT data that is simply not useful to security professionals. Countless arrays of IT asset and cybersecurity tools provide agencies with data about what is on their networks, but those tools each use different reference models for labeling software and hardware asset. The result for federal security teams is a jumble of data and no single source of truth about what is on their networks.

Very few federal security teams today, for example, have comprehensive views of the EOL and EOS status of assets on their networks or have data to help prioritize those vulnerabilities for risk-mitigation efforts. And without this kind of actionable data, agencies cannot transition their cyber postures from reactive to proactive.

Obtaining actionable, comprehensive data on the EOL and EOS status of an enterprise’s IT assets requires the ability to merge, normalize and deduplicate data collected from myriad IT asset management tools and end-point cybersecurity tools and then overlaying that data with market intelligence that identifies EOL and EOS information for every IT asset. While that may sound difficult, many agencies are doing this today.

The WannaCry attack and the new executive order remind us how fundamental basic cyber hygiene and actionable data are in the fight to secure federal networks. The new cyber executive order requires that each agency report on the risk mitigation and acceptance choices they have made, including accepted risk from unmitigated vulnerabilities. To do that, agencies need comprehensive and actionable data explaining what EOL and EOS assets they have on their networks so they can make informed decisions about what to remove from their networks and what risks are worthwhile.

There are many efforts under way across government to address current and future cybersecurity challenges. All are necessary and have their merits. But the most cost-effective steps agencies can take today to reduce the wide spectrum of risks posed by EOL and EOS assets are to beef up cyber hygiene programs and develop their capabilities to produce actionable cybersecurity intelligence.