WannaCry, the biggest cybersecurity news story so far in 2017, raised a number of interesting questions in respect of industry ethics and security best practices specifically relating to:
- Whether governments should attempt to stockpile vulnerabilities for their own use, and not disclose them to vendors.
- Whether vendors are responsible for security updates for systems that are at the end of life stage.
- And why it is that people / organizations fail to patch or upgrade their operating systems.
Starting with stockpiling vulnerabilities. I’m a firm believer in the full disclosure of vulnerabilities as soon as they’ve been discovered. That’s because this approach gives users the ability to assess their own level of risk, and therefore make an informed decision regarding the best course of action.
When any vulnerability is found, it’s highly likely someone else has already identified the same one. So, deferring the responsibility to tell users serves only the vendor and attackers with knowledge of that vulnerability. This an unacceptable outcome when the users are the very people we are working to secure.
To the second question, it’s my view that vendors cannot, and should not, be expected to support systems indefinitely. As long as notice is provided, they cannot be held responsible for security updates that are end of life.
Lastly, the reason people and organizations don’t patch or upgrade their operating systems is because they are concerned they will damage them.
What WannaCry has clearly demonstrated, however, is that in many instances, these systems are already broken leaving people with two options: either upgrade and fix your systems to begin with, or pay ransomware, then upgrade and fix your systems.
WannaCry also demonstrated that undertaking simple security practices such as patching, upgrading and applying network access controls still provides excellent security. These measures might be boring, but they do the job.