The Wannacry malware and the variants that came shortly thereafter, targeted platforms with known vulnerabilities specifically running operating systems that had been retired many years earlier.
Microsoft for example, has a defined lifecycle policy on its products. The first milestone is end of Mainstream Support. Mainstream support mainly refers to free phone and online support, as well as non-security updates that are offered for five years after the release of an OS or two years after its successor hits the market. Hopefully by that stage you will have upgraded to a new version of the OS.
The next phase is that of Extended Support where all product support is limited to self service knowledge base and FAQs and paid options.
But as we saw with Windows XP, it can be difficult to get people to move on. Extended support for Windows XP ended on April 8, 2014. At the time, however, approx. 28 percent of global PCs were still running the outdated OS, not to mention organisations like hospitals and critical infrastructure such as ATMs.
Windows 7 is currently in Extended Support phase and will continue to receive security updates until Jan. 14, 2020.
You can now fully appreciate how the Wannacry malware spread so quickly targeting older XP desktops that hadn’t received any security updates for years.
And then this gem comes along…..XP machines running our most important utilities and yes, that includes nuclear come under cyber threat !!!!
It does take me back to the time Stuxnet announced itself to the world. But its not a state actor that we should be now worried about. The vulnerabilities specific to XP and Windows 7 are now so well known thanks to the release of those secret NSA documents, that even a 15 year old kid in a basement can bring havoc to our important infrastructure.
So to all those tired, overworked IT operations teams – don’t despair. The finger is pointing directly at your execs and not you !! Following the impact of the Wannacry malware and its long lost family on IT systems globally, there should be no C-level exec that hasn’t put the effort in, to walk down to IT operations and place a cheque book on the table and utter those impeccable words – “What do you need ?”
So start preparing. Build out your cyber strategy, run those vulnerability assessments and do what ever is necessary in preparation for that important milestone. And of course to help the process along, share the vulnerability and risk assessments with those execs and dare them to ignore the perils !!
Haha, maybe not – just encourage them to read and scrutinize it very carefully !
by Con Lokos