A look back at the WannaCry ransomware attack and what we should learn from it.
by Dominic Vogel, Chief Security Strategist, Cyber.Sc
Cyber Security is understandably thought of as a largely negative subject. We speak quite a bit about cyber attacks and data breaches, litigation, regulation and other post breach realities such as loss of customers and reputation. Cyber Security itself is widely perceived as a cost center or sunk cost which doesn’t produce an immediate return on investment. Today we would like to talk about the positive aspects of Cyber Security; how investing in proper cyber security is a business enabler which results in higher revenue for your organization. As we have said in a previous article (Cyber Security & The Value of Your Sensitive Data): “If you want to grow your market share, reach your business goals or just simply be able to maintain your everyday business operations and survive, then cyber security makes good business sense.”
It seems like almost everything is, or can be, connected to the internet. The ‘Internet Of Things’ and the Cloud are two realities that are rapidly increasing the rate of change in the way we do business. Each new smart device we bring online — smart phones, tablets, TVs, cars, thermostats, HVAC systems, refrigerators, medical equipment, FitBits etc. — gives convenience which can be leveraged by the end-user and data that can be leveraged by business. There is so much data that business can harvest and harness to understand their target customers and market their products more effectively. As more commerce is transacted on the internet, the global economy is increasingly taking place online. Traditional ‘brick-and-mortar-only’ businesses are on the decline while the number of online businesses are increasing. Operational efficiencies for businesses are also expanding with the combination of massive online platforms and the IOT.
Cyber Security ROI
From a security standpoint, with the number of connected devices rapidly on the rise, the number of access points for cyber crime is rising in direct proportion. This means that the ‘attack surface’ for cyber criminals is expanding every day. This is an obvious defensive motivation to invest in a good Cyber Security program, but there are also multiple positive, or ‘offensive’ reasons to do so. Your customers appreciate the technology-enabled products and services you are able to offer them. The ability to launch these products and service and the continued availability of the enabling technology is made possible by effective cyber security.
If your information, networks and business partners are secure, then your critical business processes are protected. This protection gives you the bandwidth to be proactive and focus on business development. Proactive and effective Cyber Security becomes a business enabler which creates business opportunities for growth. When you demonstrate, and even advertise, your cyber resilience, you can deepen trust with your clients and customers. You can then create new opportunities out of this level of trust to bring more useful products and services that your customers appreciate. When you meet and exceed customer expectations, the customers win, your revenue increases and you win.
Having a mature cyber security posture is also a difference maker in RFP and M&A scenarios. If you are putting out your services for tender or if you are an acquisition target for a larger organization, being secure as well as compliant with regulatory requirements gives you an important edge. When prospective investors and clients are looking at a secure company to partner with versus an organization with questionable security, they will choose the company who has taken proper security measures (all other things being equal). Although situations like these are disappointing and potentially devastating for the companies that get passed over, this is a life-changing advantage for the organization with foresight to pay close attention to their own cyber security posture.
Rapid Risk Reduction
At Cyber SC, we understand the limitations and budget constraints organizations face. We focus on quick wins in the short term as well as the mid and long-term, big picture security program maturity. This Rapid Risk Reduction with minimal amount of investment translates to a higher ROI for our clients. Not only does cyber security keep you up and running and in business, it lets you GO ON THE OFFENSIVE to grow the business and gain market share.
This is the start of a series of articles about the Internet of Things (IoT). There is a lot of hype around risks associated with compromised IoT devices and the purpose of this series is to help executives and technologists deal with these risks in a holistic manner.
First, we should agree what IoT devices are. For the purposes of these posts I am going to define IoT devices as any device other than a computer, server or networking hardware that is connected to a network. Generally I’m looking at this from a business perspective although much of this thinking can be applied to consumer devices in and around the modern home.
Why is IoT different than the rest of the devices on my network?
Familiarity: Your typical IT department has many years of experience securing Windows desktops, installing anti-virus software and configuring the Cisco firewall that sits at the edge of a network. There are well established configuration standards, processes and experts within organizations to deal with these devices. IoT devices are often new to IT, these devices are often managed by a third party vendor or the cafeteria staff (in the case of the wifi-enabled toaster) or the building security contractor. Not only are the devices new to IT but so are the underlying technologies that power the devices. They’re often running less common operating systems, using protocols IT is less familiar with (RabbitMQ, Zigbee) and often no access is provided to the devices to IT.
The bottom line is that there is an unfamiliarity with the devices and the underlying technologies the devices rely upon. Time and training will gradually address this issue.
Visibility: How confident are you that you have a detailed inventory of all the IoT devices on your network or that your organization relies upon to some degree? How long would it take you to discover a new IoT device had been added to your network?
Even in organizations that have an awareness that IoT devices carry a set of risks these teams are often surprised at how many internet connected devices are actually in their facilities.
Addressing the visibility gap is about automated detection tools residing in your network, policies about involving IT for any device with an IP address and keeping a detailed inventory of the devices. Second only to having an inventory, the most important next step is that the inventory identifies the responsibility hierarchy for these devices.
Responsibility: I think the biggest thing that is impacting the security of IoT devices, is a lack of a clear responsibility hierarchy. If I asked you who in your organization is responsible for protecting your CEO’s Windows laptop from hackers you probably wouldn’t need to think too hard. Joe, our Chief Information Officer. Or Bill, our Network Administrator.
If I instead asked who is responsible for the security of the administration console for the IP Video surveillance camera in your front lobby, or who is the person who is confident they are in control of all the access credentials for your buildings intrusion alarm, the answer would probably take a bit more thinking.
IoT devices are often introduced by a variety of people across the organization. HR brings in a xBox and internet enabled fridge for the staff party. The facility AV tech brings in a “smart TV” for the boardroom (that just so happens to have a camera and microphone connected to an internal computer that got a firmware update --- never). The generator maintenance technician that connects the generator controller to the network for remote programming. The intrusion alarm company that supplies the workstation that you program new building access fobs with. All these are examples of devices that are connected to the network but not necessarily ordered and managed by IT.
For every device on the network it is critical to identify who is responsible for:
Approval of the device being connected to the network
Identifying the storage locations of and approval for the collection of any personal or corporate information collected by the device
Security review of the device
If the answer is the vendor, what level of trust do we have that the vendor will be doing security updates, rotating credentials when their staff leave, etc, etc.
This brings us to our next topic in the IoT Blog Series….Supply Chain Risk
This week I attended the Privacy & Security Conference at Thompson Rivers University in Kamloops. Kudos to TRU for an excellent day jam packed with good presentations.
One of the presenters from a large institution talked about their experience managing their way through a successful ransomware attack that disabled several critical applications and the effort required to pick up the pieces and move forward afterwards. The speaker was compelling, but two points jumped out to me during the session.
First was the mention that the ransomware infected their IT systems through a vulnerability. Second was the point that in the mopping up phase one of the follow up actions was the establishment of a comprehensive vulnerability management program. I found myself wondering if the two were connected.
Simply put, a decent vulnerability management program scans an environment for known vulnerabilities, provides actionable information on the riskiest vulnerabilities to the right people responsible for remediation (often but not always through patching), workflow features to enable remediation and reporting to management and business stakeholders on trends over time for high risk vulnerabilities and remediation efficiency.
In our experience at Credo Trust, too many organizations take a tick-the-box approach to the scanning part and ignore the effectiveness and efficiency of remediation, if indeed it’s done at all. It’s just like a farmer knowing that the cows are in a field where the gate to the road is open, and not doing anything about it.
The vulnerabilities picked up by a scanner are the easiest points of attack. They need to be fixed. We have to continue to educate stakeholders that this may not be as bleeding edge as using an AI engine to analyze possible hostile traffic, but it’s foundational and important in any decent IT security program. If you’re interested in learning more check out our website at www.credovm.com amongst other sources.
Credo Trust is a member of the Sky Northern Security Alliance specializing in vulnerability management. If you'd like assistance with your vulnerability management program, get in touch via a service request.
by Michael Argast, Sky Northern Inc
One of the biggest challenges we face in Information Security is the need to pivot from it being a priesthood - the role of a select few who have the arcane knowledge and power - to a religion which has been adopted by the masses.
The term ‘computer’ used to mean ‘one who computes’ - it was a job description rather than a physical device. As time progressed, we had armies of specially trained people who would program massive room sized devices. As computers became more powerful, smaller and ubiquitous, we moved from it being a specialized professional tool to something a two-year old could pick up and use.
Today, we expect everyone in a professional environment to have computer skills. They could be rudimentary - Microsoft Office, Outlook, they could be specialized (AutoCad and Engineering). Not everyone is expected to have every skill, but everyone is expected to have the skills necessary to do their job.
I propose we need to move to this approach in security. Instead of security skills being a talent that is hidden deep in a priesthood, it needs to be part of everyone’s job.
The receptionist needs to be not only skilled on phones, greetings, taking messages - but also skilled in avoiding social engineering techniques.
The physical security guards for an office building need to be looking out not only for people stealing atoms, but also people stealing bits.
Developers need to have skills not only in Java, Swift, C++ and PHP, but also the security development life cycle, fuzzing, buffer overflows and input validation.
The CFO needs to have skills not only in financial management, internal rate of return calculations and foreign exchange hedging, but also recognizing and avoiding business email scams.
HR needs to not only have skills in hiring, talent management and benefits plan analysis, but also background and criminal checks, strategies for dealing with inappropriate use of systems.
Until we bring security out of the shadows, and into the light, we will continue to struggle. It is only when we properly integrate security into everything we do that we will start to turn the corner.
Security is everyone’s job, let’s get to work.
Thanks for reading! If you'd like assistance with your security awareness programming, the security of your DevOps program or assistance in developing a security strategy for your organization, get in touch via a services request.