WannaCry: Is this a Watershed Cyber Security Moment?

As I watched the news, I was struck by the inaccuracy of much of the initial coverage of the massive wave of ransomware attacks that surfaced on 12 May. Even my partner thought that the National Health Service (NHS) computers, as well as other targets around the world, were being intentionally targeted by a coordinated global cyberattack.

The truth was far worse. This was no more than an infection designed to take advantage of environments that failed to have even the most basic of cyber security protection in place.

This malware, known by various names including WannaCry and Wanna Decrypt0r, is understood to have originated from a leak of the US NSA cyber tools. However, the leak and the malware tools were widely known about. There were plenty of fixes available to prevent the malware from working.

To prevent this particular malware from operating, all organizations had to do was be running on a supported operating system that had applied the latest software updates. (The patch to prevent this malware from working had been released by Microsoft to their supported operating systems back in March).

Even if your computers were not patched, or were running an unsupported operating system, if your organization had selected a more effective anti-malware solution, that also would have been enough to prevent the malware from working.

Where the malware entered an unprotected computer on a network, it had the ability to then seek out other undefended computers on the same network. Almost like a red team identifying vulnerabilities, the malware highlighted organizations and computers that were running with unsupported operating systems, unpatched operating systems, wide open network topologies and less effective, or completely absent, anti-malware protection. One-by-one, the worst configured and maintained environments that received the malware started to experience substantial disruption.

The consequences of this event are devastating. The interruption has affected services that included the provision of healthcare services, and some healthcare staff have already alleged that this event is likely to have led to several unnecessary deaths due to many clinical services becoming temporarily unavailable. In fact, the ISACA publication on healthcare IT governance I had just finished drafting had included some statistics about how faulty technology in healthcare environments leads to hundreds of deaths and thousands of serious injuries each year, based just on the UK figures from the UK regulator MHRA (Medicines and Healthcare products Regulatory Authority – the UK equivalent of the US Food and Drug Administration).

So, will this event finally help cyber security practitioners that have failed to get buy-in from their management to make the changes they need? I hope so.

This event should be a wake-up call. The Internet is a dangerous place IF your computers and networks are not taking at least basic precautions.

For those executives who thought that because this type of event never used to happen, it never will, it is time for a rapid rethink while you still have an organization to protect.

Editor’s note: Raef Meeuwisse, CISM, CISA, is author of several cyber security publications, including “How to Keep Your Stuff Safe Online,” available at iTunes: https://itunes.apple.com/gb/book/how-to-keep-your-stuff-safe-online/id1212130763?mt=11&ign-mpt=uo%3D4

Raef Meeuwisse, CISM, CISA, Author, “Cybersecurity Exposed”

[ISACA Now Blog]

Ransomware: Healthcare Organizations Cannot Afford to Be Unprepared

I had just typed the last word of a new ISACA publication on governance of enterprise information technology for healthcare environments when today’s news on the National Health Service (NHS) ransomware attack broke.

As we now know (as of the time of this writing):
•  At least 16 UK National Health Service (NHS) trusts are affected, as well as unspecified other UK government departments and agencies
•  The malware used has been identified as “Wanna Decryptor,” which is preventable by some forms of anti-malware.
•  The action of the malware is to encrypt desktop-based files and position a ransomware message on the desktop and as a readme file.

The interruption of basic services such as email and network-dependent telephony (VOIP) can be devastating in healthcare environments. Targeted healthcare providers are particularly vulnerable to ransomware attacks. This is especially concerning, because according to ISACA’s global State of Cyber Security 2017 study, just half (53 percent) of organizations have a process in place to deal with ransomware attacks.

Most cyber attacks rely on basic deficits, such as not locking out administrative access, running unpatched operating systems or running ineffective anti-malware products.

My takeaway is this:

  • Organizations cannot afford to be out of touch with basic cybersecurity requirements. It is reported that many of the impacted systems were running operating systems that were no longer supported by their manufacturer, but were still connected to networks and managing email with no compensating controls.
  • Underinvestment in basic cybersecurity is a massive false economy. There is a danger that if budgets are looked at in silos, it can appear cheaper to leave vulnerable technologies in place without considering the huge cost impact of the operational interruption.
  • Some newer forms of anti-malware are now over 99 percent effective. Newer forms of anti-malware, some of which can also run on top of or alongside older anti-virus solutions, can now identify and block over 99 percent of malware, including polymorphic forms they have never seen. They do this by using a basic form of artificial intelligence and machine learning. They can even be configured to completely block power shell scripts for desktop environments.

As I finish this post, the news is still breaking, and the impact of this cyberattack appears to be targeting a much larger number of international organizations.

If you are not getting the traction you need for investment in basic cyber security measures, please use this as a valuable moment in time to give your management a wake-up call.

Raef Meeuwisse, CISM, CISA, Author, Cyber Security

[ISACA Now Blog]

The Vendors of My Vendor’s Vendor … What? … Wait? … I’m Confused?!

It is no secret that vendor management is one of the top security challenges we face today. But what compounds the challenge is not knowing the relationships beyond our direct vendors. What are the vendors of my vendor doing?

I don’t know what I don’t know
The scenario: A recent project was initiated by the business group that would greatly improve our customers’ experience with us as well as streamline internal processes. Great! But, and I know this is common with any organization, the assigned managers involved on the project are not trained in project management and most certainly are not focused on security issues.

We have vendor management report into the risk department so we are fortunate to have security “eyes” on it but, in this case, the vendor did not disclose that additional relationships would be required. It turns out that the additional vendors would be involved in processing funds and documents containing sensitive data. Isn’t that interesting? Now the vendor’s vendor, the one processing funds, has a vendor for backups and is backing up the sensitive data. So, my data is three vendors away and the PMs are shrugging their shoulders.

We were fortunate because we did have time to do our due diligence on those additional third-parties, but we might not be so lucky the next time and could find ourselves in damage control.

Here are three actions that will help with the vendor management security struggle:

  1. Stay close to home. What I mean is focus and hold your direct vendor accountable for the other, now required, vendors. They most likely will resist and say, “You need to do your own due diligence.” I would suggest you respond that part of your due diligence is understanding how they selected that company to partner with and what vetting and security reviews were performed. If they didn’t review the vendor’s security controls, how confident are you in their controls?
  2. Tie due diligence to the money. Require that due diligence be complete before issuing the P.O. If you don’t have ownership over vendor management, this might be a challenge. But write in your vendor management policy the requirement that all due diligence be completed prior to finance issuing the P.O. Project managers will be more motivated to dot the Is and cross the Ts if they know that the project could be delayed.
  3. Follow the guidance. Whether or not you’re in a regulated industry, modeling your vendor management program off guidance from large agencies with a breadth of experience will make for a stronger structure. At the core of this guidance is governance. And make sure that whatever risk you assign to your vendors, you communicate it to management and the board.

Brian Nesgoda, CISSP, SVP Risk Management/CIO

[ISACA Now Blog]

Data Loss Threatens M&A Deals

One of the most popular breakout sessions at Evolution17 featured a great merger and acquisition (M&A) scenario: Midway through the deal, critical information leaks, devastating the value of the deal. How can you figure out how much info leaked—by whom and to whom?

Here’s why that storyline was so riveting: 2016 saw more than $3.5 trillion in M&A deals. And the vast majority of those deals revolved around valuations of intellectual property (IP), which today makes up about 80 percent of a typical company’s value. If you’re a buyer organization, consider these questions:

  • Are you aware of all the IP within the target company?
  • Can you be sure all this IP will come with the deal?
  • Can you be certain it won’t leak to a competitor?

Data loss is a growing M&A problem
For most buyers, the answers to the questions above are no, no and no. This lack of visibility and security for the very assets a company is buying is startling, and it’s increasingly impeding the success of M&A deals. A 2016 survey of dealmakers found that about three in four M&A deals end up getting delayed—sometimes indefinitely—by data loss. Those that eventually get back on track often end up hobbled by missing data. Experts say this is a big part of the reason that 80 percent of M&As fail to achieve their potential or expected value.

M&A amps up the insider threat
Data loss is increasingly common in M&A for the same reason it’s increasingly common throughout the business world: More than half of all enterprise data now lives on endpoints, beyond traditional visibility and security tools centered on a network drive or central server. If the target company can’t see what its employees are doing with data on their laptops and desktops, then a potential buyer has near zero visibility. Couple that with the unique circumstances of an M&A deal and you’ve got a much higher risk of insider data theft. Laid-off employees freely take their endpoint data—sometimes for personal gain, other times just to sabotage their former employer. Those that do stick around tend to feel little loyalty toward their new company, lowering their inhibitions toward selling or taking data for personal gain.

There’s a better way to protect IP during M&A deals
IP is what an acquiring company is buying—the info that is critical to the value and competitive advantage gained through a deal. To make the most of an M&A opportunity, buyers need a better way to collect, protect and secure all data living on a target company’s endpoints—before, during and after a deal. Fortunately, with the right tools, a buyer can gain complete visibility of all endpoint data, take control of valuable IP and drive a deal to its most successful outcome.

Don’t let data loss sink an M&A. Read our new white paper, Best Practices for Data Protection During Mergers and Acquisitions.

Jeremy Zoss, Managing Editor, Code42

[Cloud Security Alliance Blog]

English
Exit mobile version