Consideration on the “WannaCry” cyber attack

Everyone is aware of the maxi cyber attack on May 12, 2017, which the media have wide reported (still going on). IT companies and professionals have begun to use the “WannaCry” ramsomware attack as a pitch tool to sell security products, which is absolutely understandable and even right. The problem is another: saying that patching the Windows vulnerabilities and then get a “branded” antivirus will ensure you quiet sleeps, only provides a harmful misinformation about why that happened hiding the real “cyber security” issue’s root cause. The malware “WannaCry” is just the tip of the iceberg, and if enterprises want avoiding to go from “WannaCry” to “MyCompanyWillDie”, board management & risk committee have to adopt a different approach.  The problem is not the inadequate antivirus or firewall, or the unpatched system (measures which are obviously necessary), but the root cause is the insufficient and inadequate IT governance. Culture of security has to be adopted by the top management and carefully applied (and educated) at all levels (top-down), and the accountable role (whether it’s CISO, CIO, etc.) must have same decision power as CFO / CEO’ roles, in order to enable security by design (as required by the coming EU GDPR), thus integrating into any business process, whether it is decision-making, project-related or operational, security and data privacy fundamentals.

Line of Defense Against Risk (source: Cobit 5)

It is unacceptable that nowadays there are known critical vulnerabilities that have not been timely patched (and, consequently, unmanaged). It is no longer just a question of “risk of data loss”; the risk today is far greater, a cyber attack has the potential to cause catastrophic damages in our digitalized world. Unfortunately, most of the time, security isn’t applied in a timely and right manner, resulting completely ineffective and inadequate, and its management often relies on people and functions that don’t own the appropriate skills (example of lack of competences: firewall + antivirus = we are safe). One of the major issues, too, is the lack of knowledge by the employees of the basic security concepts, being them the first bearers of IT threats. To decrease that risk, companies must have systems and processes in place to train and educated their employees periodically, in order to significantly increase knowledge and put in place the most effective defense system: knowledge, which is the strongest factor to prevent IT threats.

There is a need for radical change in the approach: proper governance is needed, well-educated senior professionals who play important roles in the company, established and certified processes to assess and manage risks. Politics and governments need to do much more, proposing laws and rules to establish culture and awareness to enable adequate cyber security governance. The new EU GDPR is already a good example, but we are still a long way from establishing a sufficient level of awareness related to cyber security. It’s necessary to act promptly to change an obsolete culture of risk management, in order to avoid falling into dangerous situations that might already jeopardize not only the business of enterprises, but also critical services such as the provision of electricity or health care services which ensure people’s lives.

Danilo Becca

Managing Director – Nymphaea Group GmbH

Test your awareness (free test):

Nymphaea Free Test

WannaCry additional info:

Windows Patch to install: MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)

(Vulnerabilities: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148)

Infection status (last 24H)
https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all

General information
ransomware-attack-uses-nsa-0-day-exploits-to-go-on-worldwide

 

By | 2018-05-29T17:43:03+00:00 May 15th, 2017|Cyber security, Governance & Management, Malware|