"Wait, can you explain that again?"
I was ready to close out the Webex call and instead the break in silence reshaped my security ethos. "Wait, can you explain that again?"
It was March 2017 and pre-pandemic remote meetings were audio only. I was used to speaking into the void so I couldn't read body language or see gaping jaws among the 20-odd IT managers watching my monthly presentation about software patches.
The March presentation included a demo of a decade-old MS exploit called netapi (MS08-067 IYKYK) which allows a "specially crafted network packet" to execute code as administrator on a Windows Server 2003 system in default configuration. Typing a few commands into my Linux terminal resulted in a Windows command prompt and ability to install malware.
The Manager on the call was shocked that I had never entered the password for the system and it was irrelevant with the exploit. He was an experienced IT manager responsible for thousands of critical systems making money for the company. He had never been clearly shown the impact of a failure to patch.
Up until this moment, I had assumed that everyone needed to be a CISSP with gobs of knowledge to be able to accurately measure risk. Clearly everyone could read a security bulletin, infer how severe it was, and articulate what types of threats would use it. The question from that manager, and subsequent follow up showed me the need for more effective communication about security.
The netapi exploit was long-ago patched and not applicable to newer operating systems but it demonstrated the risk of that type of exploit. One of the security bulletins in March 2017 was for an exploit dubbed ETERNALBLUE (MS17-010) which also affected Windows systems in their default state. I directed the corporate IT managers to expedite patching this on any applicable systems knowing that the network was a target-rich environment. It was only a matter of time for a threat actor to leverage this vulnerability for some kind of worm.
The company did an accelerated patch of the March 2017 patches. When May rolled around and the news cycles spun up about a ransomware strain called WANNACRY causing damage to organizations like the Nissan and the UK National Health Service. I was confidently able to tell the CISO that we would be unaffected.
I incorporated more cyber demos in the coming months, always relating them to new patches and vulnerabilities in the news. The internal audience grew and to date no vulnerabilities have caused problems. My drive in security changed from finding the most advanced exploits to understanding why different security threats exist and showing people the best way to prevent them.
If you need help understanding what threats you need to defend against, reach out today!