Talent

Wannacry: A Shot Across the Bow

Although information security and cyber attacks seem to be a daily headline, several events and trends recently collided to produce some headlines with extra heat: WANNACRY RANSOMWARE RUNS RAMPANT! Even in a world used to fast-moving technology, the speed of Wannacry’s spread, and the high-profile nature of its victims, took many by surprise.

WannaCry

Rawpixel Ltd / iStock / Getty Images Plu

Despite the number of victims, we got lucky this time. The fortuitous discovery of a kill switch in the malware prevented further unchecked spread. That kill switch, however, is not an essential part of the Wannacry code, and the world will likely not be so lucky next time.

We’ve seen, however, a silver lining to ransomware in general, and to this attack in particular: More than any other attack type in recent memory, it’s gotten Boards of Directors, Senior Management, and other non-IT stakeholders to have a serious conversation about information security right now. That conversation is where IT-centric security starts to become real information security.

What is Wannacry, and How Did This Happen?

Wannacry is a type of Ransomware. Ransomware comes in increasingly varied flavors, but the underlying premise is the same: it applies military-grade encryption to the victim’s files. With rare exceptions, decrypting the files is not an option.

Learn more about how HR can protect against ransomware and other cyber threats when you attend, “ Global Ransomware Attacks: Your HR and IT Emergency Prevention and Response Plan,” on Thursday, June 8, 2017. Learn more below, or click here to register today!

Ransomware in general—and Wannacry is no exception—is an indiscriminate attack. The victims were not targeted. Rather, much like people who catch the common cold, the victims randomly came into contact with the infection and then got sick.

Wannacry’s rapid spread appears to manifest the collision of two hot news stories: the rise of ransomware itself, and the reported theft of hacking tools and exploits from certain government agencies. While experts are still sifting through the debris, it appears that Wannacry combined a standard ransomware payload with an exploit found in the recently-stolen government archives. (Think of it like the exploit is the missile, and the ransomware is the bomb on top).

Because the exploit used a hole in one of the basic computer protocols that allows all of our network devices to talk to each other, the Wannacry malware was able to swiftly propagate through corporate networks the way a bad blood cell quickly circulates through a body. As with many attacks, the hole that was exploited was known, and a fix had been available since March, but many, if not most, networks remained unpatched.

What Should Companies Be Doing Now?

First, and most obviously, patch the hole that Wannacry exploited. But, that’s just closing one of a million doors that the attackers can use. Which takes us back to the conversation we hope that companies are now having about how to prepare for and mitigate attacks.

That conversation starts with recognizing two key facts. First, more and more potentially serious attacks are not targeted: stop thinking snipers, and start thinking “common cold.” Second, technology alone will not stop these attacks. Yes, quick application of the available patch would have stopped the current Wannacry exploit, but there are no good technical “walls” against ransomware in general.

The conversation then has to continue:

  • Data Mapping—What data do we have, and where do we have it? Most companies don’t really know the full inventory of what they need to protect, or where they need to protect it.
  • Who’s responsible for protecting our data? Is it internal IT? External vendors? Finger-pointing after the fact is a poor substitute for prevention.
  • How to we improve security against these types of attacks? Your big wins are not buying more technology. Rather, increasing employee awareness, empowering employee involvement in security, and enhancing information processes provide much bigger gains.
  • How do we respond when something happens? Response is as much a part of information security as having a trained fire department is part of fire prevention. Buildings catch fire, but they don’t have to burn to the ground; your information will be attacked, but it doesn’t have to be a show-stopping crisis.
  • Can we get insurance for this? In a word, “yes.” Many cyber insurance policies cover extortion, including ransomware payments and financial mitigation of ransomware’s effects. The key is getting a knowledgeable cyber insurance broker.

Attorney Nelson presents Global Ransomware Attacks: Your HR and IT Emergency Prevention and Response Plan on June 8 and Practical Response to Cyber Warfare: Mandatory Steps for Safeguarding Proprietary, Sensitive, and Confidential Data in the Hacking World of Today on July 20. Both events will feature live Q&A.

Dan NelsonDan Nelson is a partner and co-chair of Armstrong Teasdale’s Privacy and Data Security practice. He is a Certified Ethical Hacker (C|EH) through the International Council of E-Commerce Consultants (EC Council). He previously became a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and is a seasoned practitioner in the areas of U.S. data protection laws, key privacy terminology, and practical concepts concerning the protection of personal data and trans-border data flows. He regularly counsels clients about security flaws and techniques to protect their data, including data mapping, risk assessment, contract review, employee training and awareness program, policy and procedure preparation and review, incident response planning, incident plan table-topping and cyber policy review services.

Leave a Reply

Your email address will not be published. Required fields are marked *