June 27, 2017
The security industry has an accountability crisis. It’s time to talk about it, then fix it. Whenever a massive cyber attack occurs inevitably a chorus of voices rises to blame the victims. WannaCry on 5/12 and Petya on 6/27 yet again kicked off the familiar refrains of:
“If users didn’t click on stuff they shouldn’t….”
“If they patched they wouldn’t be down….”
“This is what happens when security isn’t a priority….”
“Now maybe someone will care about security…”
I have yet to meet a single user that clicked a malicious link intentionally – beyond security researchers and malware analysts that is. I have yet to meet anyone that delights in not patching as a badge of honor. There are great reasons not to patch, and terrible reasons not to patch. As always context and situation matter.
Except when we discover that Petya contained EternalBlue and EternalRomance, and can spread laterally via WMI and PSExec. Now our familiar refrain of blaming IT, the business, the user, is foiled. The malware author created the tool to use multiple attack vectors. Yes, patching helps, but this malware also captures credentials. So, if an organization has a single system they can’t patch for legitimate business reasons the malware can land, capture credentials, and then move laterally through the environment.
Here’s what S&R pros should take away from this:
- Productive conversations usually don’t begin with accusations. Source: My significant other.
- Geopolitics & cyberproliferation are emerging topics for CISOs.
- Despite all the technical advances in the world, basic security hygiene will lead to wins.
- Security researcher activity on Twitter is phenomenal. Find, follow, and learn from security rock stars.
- This problem requires security to build better:
- Architectures (Zero Trust Segmentation)
- Processes (Automation, Threat Intelligence, and Patch Management)
- Culture & Communication (both in security and when working with the business)
Here are the lessons enterprise leaders of all stripes should take away from these events:
- “Digital dependence” for customers & businesses is real. For example, Forrester predicts US B2B E-commerce will rise to 1.2 trillion by 2021. The more dependent on digital business your revenue is, the higher the likelihood a cybersecurity issue will cripple you.
- The interconnectedness of the digital economy is difficult to comprehend until something like this happens and we see it play out live by infection timestamps. Malware can spread from the Ukraine to Washington, DC in seconds.
- Security is now a customer-facing issue as each widespread attack proves. WannaCry shutdown the NHS and Fedex. Maersk, the world’s largest shipping firm gets crippled by Petya. Whether B2B or B2C security is a component of CX. And remember, emotion is almost half of the reason for brand connections with customers.
- Worldwide financial systems, critical infrastructure, and overall global economic prosperity is under attack from cyberweapons and threat actors. Two exploits used in these attacks were allegedly stolen from the NSA and repurposed to target the rest of the world.
Remember that everyone is a user, everyone is a target.
Security threats are the number one risk to our connected lives.