The ransomware attack WannaCry
may become the most wide spread virus of all time. Sadly, there will be more similar attacks in the future, because the underlying trends that enabled WannaCry are continuing to advance.
What are the underlying trends, and what can we do about it from a leadership and policy perspective?
Trend #1 – The value of our online information is increasing.
The increasing value of online information is obvious, but despite the obvious importance, we are still struggling from a leadership and policy perspective with the transition of our risk management strategies from the physical to the logical domain. We clearly have a leadership and governance responsibility to do better. However, there is a disconnect that continues to exist between the Chief Information Security Officer (CISO) and the Board of Directors regarding cybersecurity. There is a gap in knowledge, but there is also a basic communication gap caused by differing perspectives. To close this gap, we need to do a better job of using existing cybersecurity frameworks (e.g. SANS 20 www.cisecurity.org/controls/
) to give our board level conversations better context. We need to put the risks in the context of process maturity and material risks to the business as opposed to number of attacks, threats blocked or systems patched.
Action: Your organization needs a CISO and a board level reporting framework and then a focus on continuing improvement. Good cybersecurity requires on-going investment and continual improvement.
Trend #2 – Nation state actors are spending more on cyberwar.
As the value of online information increases, cyberwar spending by governments is increasing. This is reflected in the budget for the U.S. Department of Defense
, but enterprises are at a severe disadvantage as we are unable to spend sufficiently to defend against nation state actors. WannaCry highlights two of the most troubling aspects of cyberwarfare. First is the damage caused when flaws are found and exposed by highly funded government researchers, and the second is the criminal business model (ransomware) that has been enabled by bitcoin and other non-traceable crypto currencies.
Action: Security vendors need to continue to invest to improve our security development skills and vulnerability testing. We need to increase the public-private partnerships in cybersecurity, and governments need to share
more with application and security vendors so they can patch vulnerabilities as opposed to leaving them as possible exploits.
Trend #3 – Business email compromise requires a balanced approach.
According to the FBI, ransomware attacks quadrupled in 2016 and will double again in 2017. These attacks are successful because they rely on the weakest link – our people. WannaCry has been so damaging because it doesn’t rely solely on email but rather uses worm-link code to propagate to unpatched computers on the network. Although it’s unclear how this ransomware attack started, most attacks penetrate corporate networks through malicious emails.
Currently, there is no silver bullet to stop these attacks. Defense against them begins with end-user education but also requires investment in tools to prevent them. Signature-based antivirus solutions have their place, but they are not good enough. Businesses should implement both gateway security and endpoint protection that not only use signatures but also look into the content and any intended behavior of any embedded code and links in the email to help block malicious content before it infects your network.
Action: Your organization needs an on-going, end-user education and training program and email gateway security and endpoint protection that use a multi-layered approach to defend against malicious code and business email compromise. Like your overall cybersecurity program, you should have a balanced approach to people and technology and business risks.
Is there hope for the future? Yes. The trends above will continue in the short- to intermediate-term. But, in the longer term, newer operating systems and applications are increasingly being designed and built with security in mind. The increase of the cloud services and cloud-based security applications are making good security services more available to smaller organizations, and good security governance is beginning to take hold in many organizations. In a way, WannaCry demonstrates how effective even basic security best practices can be. Basic inventory and properly patching (SAN Controls 1-4) your organization’s computers turned out to be the best defense against this particular attack. Of course, routine back-ups and archiving are also an important part of defense against ransomware.