It's 2022. Why do you keep using SMB?
During the last 25 years, companies have relied on SMB protocol to allow them to collaborate and centralize corporate documents. These are the good old shared drives we all know well.
Let’s take a look back at this technology for some good background.
The history of SMB (and why it's no longer relevant)
Server Message Block (SMB) is a communication protocol that was originally created by IBM and was used by Microsoft in its LAN Manager product during the mid-1990s. SMB 1.0 was renamed CIFS (Common Internet File System) and Microsoft submitted some partial specifications to IETF as drafts, though these submissions have since expired. The initial goal was to provide shared access to files and printers across nodes on a network. In other words, it was made to collaborate and share data internally in order to avoid ending up with N versions of documents, as well as optimize resource consumption. It was a good idea, but the protocol proved to be weak, adding a number of issues depending on the size of the files shared, the location of each collaborator, latency, etc.
The latest iteration, SMB 3.1.1, was introduced with Windows 10 and Windows Server 2016. This version introduced support for AES-128 GCM encryption in addition to the AES-128 GCM encryption added in SMB3 and implemented a pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also made secure negotiation mandatory when connecting to clients using SMB 2.x and higher. This technology was quickly adopted by most companies around the world because of the obvious benefits. At the time, infrastructures based on SMB started growing in size and complexity, which made SMB 3.1.1 a key technology to support the business.
But now, the world has changed, and from a company point of view, SMB based services are no longer the key service, for two reasons:
- There’s a wide range of mature solutions that are based on more modern and scalable protocols, starting with WebDav, going thru SharePoint and ending the trip at the doors of all major providers like Google, AWS, Oracle or MS.
- The amount of budget, time and human effort that an on-premises infrastructure requires for maintenance, redundancy and scalability is becoming painful compared to modern SaaS solutions.
WannaCry changed the game
In addition, we have our good old friends, the CISOs, that have been trying to enhance and unify the authentication methods supported by the technologies in place within their companies for a long time. They are charged with the duty to keep the company data safe, always required to minimize the impact on users from the adoption of enhanced security tools and methods. CISOs want to get rid of Delegated Accounts to perform Kerberos SSO. It’s not safe if any account is compromised.
They all remember the stressful times five years ago when they heard about the word WannaCry for the first time. In 2017, a well-known group of hackers introduced the WannaCry worldwide cyberattack that took advantage of CIFS' weaknesses to spread ransomware, targeting systems running Windows OS by encrypting the data inside and demanding a ransom payment, always in Bitcoin cryptocurrency.
This attack was developed based on ExternalBlue exploit and stolen from a US Intelligence Agency, and eventually leaked. SMB file servers were the main target to demand a payment. It was an inflection point that made any security professional with internal or external customers seriously think about moving away from legacy infrastructures and authentication methods and toward a zero trust strategy.
And the pandemic changed it again
Now the story keeps getting more interesting with the pandemic. According to Europol, the COVID-19 pandemic has made organizations like hospitals, governments and universities more conscious about losing access to their systems and more motivated to pay the ransom. Criminals are taking advantage of this situation by:
- running faster and more ransomware attacks
- recruiting collaborators to help them maximize their impact, and
- offering ransomware-as-a-service on the dark web
The issue is not going to be resolved unless we remove the weak vectors that many companies still expose. Many companies have moved to more modern solutions than SMB, but it’s going too slow, again, for a number of reasons.
- Internal development requires initiative, budget and expertise, and not all companies can afford a massive improvement on the development techniques they put in place.
- Kerberos Constrained Delegation is good enough for many customers to enhance the UX that users enjoy to access legacy services and apps.
- Virtualization ROI is still pending for many companies that invested in this strategy (very price, by the way) so IT doesn’t get approval or budget is shifted to other areas.
Now that you have the whole picture, that you know the challenges derived from on-premises backends based on SMB, the lack of features compared to other more modern but affordable solutions (with MFA and biometrics), the challenge for CISO to enhance authentication methods and UX, I want to ask you:
Why do you keep using SMB?