[BreachExchange] What You Need to Learn from the Biggest Cyber Attack in History

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 19 15:06:10 EDT 2017


Last weekend, a virus called “WannaCry” swept through Asia, Africa, and
Europe, encrypting the data of thousands of individuals and businesses.
Although it demanded a ransom that, if paid, promised the user access to
encrypted data, few paid the ransom, and many who did never regained access
to their data. It was the largest ransomware attack ever, even though it
was stopped before it impacted much in the United States.

Since the attack, I have read numerous security posts about why this attack
is just more proof that people and businesses should adopt the security
measures those writers had previously published. While I agree with (most)
of those posts, I think that the unprecedented nature of this attack
creates a different opportunity – to discuss some fundamental lessons that
every business owner needs to accept as the modern reality.

Here are Six Lessons You Need to Learn from the WannaCry Cyber Attack:

1) Everyone is a target

When it comes to hacking, I’m fond of the metaphor of the fisherman. When a
fisherman is going after a specific type of fish, a lot of preparation and
knowledge about that specific fish is needed: what type of pole and line
works best, what type of body of water, and where in that specific body of
water can the fish be found, how deep should the line be dropped, and what
bait is needed?

Most businesses are prepared for hackers who are looking for a specific
fish – the “important” data in their systems. Unfortunately, just like in
the fishing industry, the vast majority of successful hackers aren’t using
a fishing pole, they’re using a net.

Is your office network online? Then you’re a target. Get used to it, and
plan accordingly.

2) We can no longer rely on the “honor” of thieves

Why does someone pay a ransom? They believe that by doing so, whatever is
being held hostage – whether it’s a person, a tangible thing, or their data
– will be released. It’s what the entire system of Ransomware is built on:
a very perverse form of trust.

Well, as the FBI has been warning for the past couple of years, the
likelihood that you will actually get your data back has been decreasing as
ransomware tools have proliferated. However, the WannaCry hackers took that
to a whole new level – and may have permanently destroyed the “trust” that
ransomware depends on.

Believe it or not, but ransomware is a business, and a highly successful
one in certain parts of the world. But for that business to proceed,
hackers need to be able to count on receiving your ransom payments. The
failure of this system will have two major implications for the future of
ransomware in my opinion:

1) Hackers who rely on ransom payments will rely on increasingly more
complicated ransomware (requiring multiple payments before data is released
or, more frighteningly, relying on ransomware that encrypts hardware rather
than data – that’s right, HARDWARE, and it’s coming!); and

2) an increase in the use of ransomware as a disruptive tool, which brings
me to…

3) Some people just want to watch the world burn

People were turned away from emergency rooms because someone wanted to
cause a disruption, and they didn’t care who it hurt.

There are three main reasons that a hacker goes after someone else’s data:

1) Money,

2) Information, or

3) Disruption.

The first two types of hackers are the type we know – the first group
steals credit card numbers, personal information for identity theft, or
ransoms your encrypted data for a payday; the second group are the ones
looking for specific information, whether they’re looking for compromising
emails, intellectual property, or national security information.

The third group is considerably more terrifying – their only goal is to
shut your system down. Occasionally in the past, these types of hackers
have been characterized as those like the “Anonymous” hackers, looking to
sow chaos. But the truly terrifying groups are those working on behalf of
repressive regimes, especially when those regimes appear to have nothing to

Not long ago, Russian hackers hit the Ukrainian power grid. Hackers in
Syria have repeatedly disrupted access to media organizations that have
portrayed the Assad regime… accurately. It appears that the WannaCry
hackers are likely North Korean, and that the hack may have been timed to
draw international attention away from their missile launch.

4) Your cyber liability policy needs to cover ransom… as well as when
ransom doesn’t work

You probably haven’t thought all that much about whether or not you’d pay a
ransom to get access to your data, but your insurance carrier has. They’ve
been aware of the threat of ransomware for a long time, and how they’ll
respond is right there in your cyber liability insurance policy. But I’d
bet you couldn’t tell me how they’d respond, even with your policy right in
front of you.

That’s the nature of the beast these days, unfortunately. Your policy needs
to cover ransom payments to get your data. Sure, you need quality backups,
and it’d be nice if those would work, but it’s not always possible. New
variants of ransomware are specifically targeting backup systems. Others
(as I ominously discussed above) will encrypt your actual computers or
devices, rendering them useless even if your backup is safe.

But your policy also needs to protect you when, also as discussed above,
the ransom payment doesn’t get your data back. The most underappreciated
cost of a data breach is lost time, and if you don’t get your data back
after paying a ransom, your business will be down a lot longer than you
anticipated. Will your insurance protect you?

5) It’s the basic, tedious, unglamorous security measures that really matter

Most of us like to put cyber security to the back burner. It’s complicated,
outside of our area of expertise, and, to be honest, a little terrifying to
constantly think about. So when it comes to our levels of preparation, we
like to think that shiny new devices, expensive new software, or an
impressive team of IT personnel is the best way to protect ourselves.

It’s not.

Just like anything difficult, the most effective way to do something is to
do it right from the bottom up. Your first line of defense against cyber
attacks like the WannaCry ransomware is the vigilance of you and your
employees. Vigilance requires awareness.

Awareness requires training. Regular training. For everyone. Including you.

It’s not fun, and it can seem tedious. It takes you away from directly
working on your business – at least that’s what you argue. But trust me,
you’d rather lose an hour every two months than lose two solid weeks
because you accidentally clicked on a malicious link in a spear phishing

Other basic, less-discussed security measures, such as ensuring your
computers and devices are always running the most up-to-date versions and
frequently running anti-malware systems like MalwareBytes are critical, as
well. In fact, since newer viruses like WannaCry can infect entire
networks, keeping your system updated is probably the single best way to
protect your computer and devices.

(Check out our 12-Step Program for creating the right Cyber Security Policy
for your business)

6) Apple was right… but it won’t matter

Last year, the FBI insisted that Apple unlock two iPhones related to the
San Bernadino shooting, sparking a nationwide debate on whether technology
companies should engineer ways for governments to view encrypted
information. Although they denied it, the government, and those supporting
the government’s position, were calling for “backdoors” to be built into
software and devices to allow access.

Tim Cook, and cyber security experts all over the world (including myself),
objected, pointing out that once you create a backdoor, you have no way to
guarantee that only the “good guys” can use it.

The WannaCry hackers, using a tool developed by the NSA to allow access to
computers running on Windows, just proved Tim Cook right. If the NSA can’t
protect their own secrets and tools – the FREAKING NSA! “Security” is the
SECOND word in their TITLE! – what chance does the New York District
Attorney’s office have?

Unfortunately, this debate has never been about keeping the data of regular
citizens safe. It’s about the power and reach of the government in the name
of security. Don’t believe me? Ask yourself this question: why does the
government, any government, ask for increased security powers after a
catastrophic event, instead of investigating why the powers they granted
themselves the last time there was a catastrophic event didn’t work!

The NSA developed a tool that gave them access to vulnerabilities in the
Windows operating system. That tool was stolen, and this past weekend was
used to shut down computer systems all over the globe, including the
British National HealthCare System, German train lines, Chinese colleges,
and thousands of small businesses.

But that fact will not stop governments all over the world from demanding
new powers of surveillance over their citizens in the event of a terrorist
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170519/cdfd9885/attachment.html>

More information about the BreachExchange mailing list