Blog Post created by Alex Heidenreich, Principal Consultant
Over the weekend the worldwide spread of the WannaCry ransomware made headlines. The ransomware proved popular in both blog posts and mainstream media outlets for three reasons. Firstly, WannaCry leveraged an initial attack vector built upon the recently leaked NSA exploit tools, specifically ETERNALBLUE and DOUBLEPULSAR. Secondly, there was the novel news of a ‘kill switch’ being discovered by a young researcher in the UK, who triggered the kill switch and subsequently, reduced the spread of the malware. Finally, the effectiveness of the campaign, particularly in the healthcare sector, and the rapid propagation of the malware through worm-like behaviour, ensured this event was worthy of widespread reporting.
Rather than take one of the existing news angles, let’s talk about the elephant in the room.
CEO’s around the globe are scrambling to be briefed on WannaCry, perhaps under the illusion it represents a significant shift in the threat to their business. The cold stark reality is much simpler.
Business Leadership is failing on cybersecurity.
To be brutally honest, WannaCry is nothing startling, from a technical standpoint. Nor is it some kind of paradigm shift. The modus operandi is extremely common. Leverage existing, well know technical exploits, package them with a ransomware component, salt with some social engineering, profit.
Why is this so effective?
Perhaps it is because there is a generation of Business Leaders who fail to appreciate the responsibility they have to protect the information they are entrusted with, or reliant upon.
There is some evidence to support this.
Using the prism of WannaCry, we notice some increasingly common, critical failings.
The exploits leveraged in WannaCry were not unknown.
A patch was released prior to the development of WannaCry, and was available to any currently supported Microsoft Operating Systems. The protocol leveraged in the attack is extremely dangerous to have exposed to the Internet, or internally on critical systems for that matter. Ineffective or non-existent backup strategies underline WannaCry’s effectiveness once a foothold has been gained.
And here is where we sense the Leadership starts to break down. Before we look at the solution, let’s have the difficult conversation.
CEO’s, CFOs and CIO are well aware of the efficiency and productivity gains associated with information systems. There is a general consensus in the corporate community that information systems support business. The significant costs associated with upgrading software to newer, more secure versions, patching that software, and continuously assessing the defensive aspects of the information system ecosystem against evolving threats, are viewed as secondary costs to business. Said differently, there is an apathy towards the prioritisation of those costs, because the consequences of neglecting those costs are not readily apparent to most business leaders
And then suddenly you are turning people away from the emergency room.
It’s moments like this, when it starts to dawn on business leaders that perhaps their information systems have become so critical, and so intertwined with the business function of the organisation, that it has become the primary business function. Primary in the sense that without it, there is no business. This is a business dilemma that only the current generation of business leaders have had to comprehend, and to be brutally frank, most are ignorant to the issue.
If you are a business leader reading this post, pause for a moment now. Ask yourself, how much longer will you have before you need to take proactive measures to defend the interests of your stakeholders against common, albeit clever, criminal cyber-attacks.
The steps to protect your reputation and your business critical information systems are straight forward. But they do require direct focus and drive from the senior leadership in every organisation. This is fundamentally not a technical problem. It’s a business challenge.
The steps you need to take are not new, nor are they obscure. It’s time to stand up and take charge.
Review and update your critical software systems.
Patch early, patch often. Invest in the resources it requires to do this effectively.
Have a backup strategy. Rehearse it.
Invest in staff training, awareness and assessment activities. Doing this continually will develop a secure, accountable culture.
Assess the exposure of your machines. Lock them down. Attention to detail.
Implement ‘need to know’ on your networks. Reducing permissions and access will slow the propagation of almost all ransomware attacks after an event has occurred.
Assess your external perimeter. What is exposed and why? Lock it down. Then test it. Then lock it down. Repeat periodically because the threat evolves.
Accept there is no panacea or silver bullet. Vigilance through people, process and technology, and a well-developed, realistically resourced cyber strategy and supporting action plan is the only holistic antidote.