This attack exploited a newly leaked toolkit from the National Security Agency. “WannaCry,” as it is called, took advantage of a well-known vulnerability – one that had a patch released in March called MS17-010.
While taking advantage of a known vulnerability is nothing new, this time it was packaged with more traditional ransomware software. Ransomware is a virus that encrypts the contents of a computer and attached storage and requires a ransom to be paid by the system owner in order to decrypt and get back your files.
It was this combination of ploys which resulted in one of the most widely and quickly distributed attacks in recent history.
Here’s what most business owners don’t know or realize – this type of attack is easily prevented by putting in place sound cybersecurity practices. It’s called foundational cybersecurity – essentially getting back to basics.
To demonstrate, compare the preparation and response to this global attack by two fictitious businesses: Business A and Business B.
BUSINESS A – THE GOOD, PROACTIVE BUSINESS
Having acquired sound expertise ahead of time from a reputable security company, Business A notices the NSA toolkit release and effectively patches its systems, companywide, months prior to the attack.
It already has been performing vulnerability and malware scans across the entire network, especially on internet-accessible computers and servers. It routinely determines which machines need updating by having a real-time inventory of assets. It professionally coordinates patching, testing and review for all systems.
Business A also implemented an email scanning solution months earlier and has been keeping it up-to-date to filter out viruses as well as other malicious files and messages.
These systems and processes are well-documented in its up-to-date system security plan, staff are thoroughly trained how to react and backup plans are regularly tested.
To round out things, Business A maintains cost-effective computer log monitoring (which helps identify potential issues as they occur) and intrusion prevention systems, along with its hardened firewall.
Not a big company, it has leveraged available expertise to implement solutions that enable big company-security measures at a fraction of the cost.
BUSINESS B – THE NOT-SO-PROACTIVE BUSINESS
Business B has done no vulnerability scanning that would have detected this gap in defense, and only small amounts of virus scanning were implemented to prevent malicious software from installing itself on systems.
There is no log management to detect issues in real time. No intrusion prevention or detection systems to identify attacks. A decade-old firewall/router combination bought at an office supply store lacks the features to fend off such a threat.
Business B consistently delays implementation of email scanning and other cloud-based security solutions, even though they are cost effective and easily implemented.
Unwilling to “inconvenience” employees with patching and rebooting, it passes on much-needed upgrades and updates to systems. Nothing is planned, and little is formally documented.
DAY OF THE ATTACK
The morning of May 12 brings worrisome news from the United Kingdom. Entire hospital systems are being brought down completely.
Later, Fortune 500 companies in the United States are affected. Spain’s major telephone provider suffers outages.
Business A and Business B, meanwhile, start preparing for what is a major global event. Both gather intelligence on the threat as fast as possible, analyze the threat and see what needs to be done.
Business A pulls a recent report of all at-risk systems and finds that it is an easily manageable number of known machines.
Business B is unable to generate a definitive list, but estimates there could be hundreds, maybe thousands, of devices on the network which are vulnerable or potentially already affected.
DECISIVE … OR NOT
Business A staff patches remaining vulnerable systems, shuts down nonrequired systems that cannot be patched and implements other measures outlined long ago in its security plan, just for such an event. Then it’s time to relax for the weekend.
Business B is quite the opposite, having to pull away resources for emergency patching and trying to develop a list of vulnerable machines, all as the attack is underway.
Thus begins another long weekend for an already thin and stretched staff. Business B is crippled and has no recovery plan.
Once news of these issues gets out, customers stop trusting it and suppliers get nervous.
Without adequate backups in place, it probably won’t be in business much longer.
COSTLY CLEANUP
For Business B, forget about paying the ransom. Forget about getting back its files.
Its only option is spending an untold sum to clean up the mess, exponentially more than proactive measures would have cost.
To make matters worse, because of its perceived negligence, cyberliability insurance won’t necessarily protect it.
Don’t be Business B.
Michael Hawkins is principal and CEO of Netizen Corp. (www.netizencorp.com) in Upper Macungie Township, a provider of cybersecurity and compliance solutions for defense, commercial and government markets. Max Harris is principal and chief of business development at Netizen Corp., and Rich Stoneberg is chief information security officer at Netizen Corp.