[BreachExchange] A year on from WannaCry, a new kind of system is needed for security maintenance

Mon Jun 11 19:38:34 EDT 2018

https://www.scmagazineuk.com/a-year-on-from-wannacry-a-new-
kind-of-system-is-needed-for-security-maintenance/article/766931/

We've just had the one year anniversary of the WannaCry cyberattack, a
ransomware attack which affected millions of computers in homes and
businesses around the world, encrypting vital data and impeding system
function. The most notable victim was, of course, the UK's National Health
Service, where many clinics running on unsecured computers had their
systems frozen. The NHS has since announced a £150 million investment to
bolster its cyber-security defences.

Three months after a “lessons learned” report from the Department of Health
and Social Care advising on the need for critical security patches, there
remains much work to be done to secure critical infrastructures from
cyber-attack. The Department is still coming under fire for not knowing
what the proposals will cost, or when they will be implemented.

Many clinics and hospitals relied on computers that were insecure or not
recently updated with the latest security updates, which left them
vulnerable to the attack. But why did so many practices find themselves
running on unprotected, outdated software for so long, and with such
dangerous consequences? The answer lies in the way software and hardware
products are usually bought by big organisations.

Many organisations purchase their large-scale IT infrastructure on an
ad-hoc, product-by-product basis. Systems are updated as and when staff
notice a need and feel there is time to make a change. In large, high
pressure organisations, this can be infrequent – especially those like the
NHS, where staff are under huge stress and time pressure – as are their
systems.

In many cases, patches are not installed regularly enough – sometimes
operating systems are only fully updated once every decade. But using
software that is no longer supported by the manufacturer effectively puts a
target on the back of organisations for malicious hackers. The problem is
growing even more pronounced as hacking becomes more automated, allowing
attacks to be carried out on a large scale and at an unrelenting pace.

In high-pressure working environments, IT and particularly cyber-security
are often an afterthought, or a siloed department. But the cyber-attacks on
various companies and organisations we have seen over the last year
demonstrate that IT should be at the forefront of operations planning in
any large organisation of national importance.

One way to tackle this problem is to change the relationship between
organisations and the software and hardware providers they buy from. Many
rely on Enterprise Agreements (EAs) whereby vendors agree to sell a
specified amount of software and hardware over a certain timeframe. But EAs
have been evolving in recent years to offer more support to customers. Many
EAs have expanded to include security and software updates.

Large and complex organisations need EAs with a Software as a Service
Offering, a contract between customer and supplier whereby hardware and
software are fully supported on a rolling basis.

Instead of companies simply buying IT infrastructure from a provider and
then having to update, maintain and replace it themselves, under an evolved
EA this is largely the vendor's responsibility. To ensure the best user
experience and encourage users to renew, it is always in a vendor's
interests to ensure that their customers are making use of the most
up-to-date versions of their software. Vendors can then manage the
continued maintenance of these systems. This takes away the burden
domestically maintaining systems over a vast and sprawling business network
of different systems.

Although used in many areas, in recent years EAs have evolved to better
accommodate the changing needs of businesses, who are looking for
increasing flexibility. Many EAs now include security, network and other
hardware support in the same package as well as being available on a
pay-by-usage policy. This means firms can accelerate innovation into their
IT systems through just one agreement.

The WannaCry attack, and many high-profile cyber-attacks that have followed
in the past year, have highlighted the intense need across all
organisations to put cyber-security first. But in high-pressure
environments where staff have little bandwidth to update systems, a new
kind of agreement is needed to guarantee sustained protection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180611/3fb71ed7/attachment.html>