On 12 May 2017, multiple computer systems were infected by a variant of the Ransom.CryptXXX ransomware family otherwise identified as Ransom.Wannacry. Exploiting a vulnerability within the Windows operating system (WinOS), the worm impacted organizations globally, ranging from hospitals in the United Kingdom, to academic institutions in China. Luckily, our societies are resilient. Soon, organisations will recover from this ‘worst-ever recorded’ attack and return to maximum operational capacities. The scale of this ransomware outbreak, however, is a dark reminder about the increasing sophistication of contemporary threat-actors, who have been able to remodel an American-developed exploit and utilised a windows security update as targeting intelligence.
Preliminary attribution efforts suggest the Lazarus Group as the potential culprit. While North Korea appears likely to be the advanced persistent threat (APT) actor in this instance, it remains too early to be certain. Nonetheless, the ransomware outbreak does reveal the increasing sophistication of cyber-attacks.
First, researchers identified a cyber-exploit (identified as ETERNALNIGHT), allegedly obtained from the Shadow Brokers’ digital assault on the US National Security Agency, which was used to enhance the Trojan’s effectiveness. This also provides a glimpse into the cyber arsenal of the United States, and how vulnerable enterprises are if targeted by a state-sponsored or state-intelligence actor. Second, the WannaCry Ransomware targeted a ‘critical’ vulnerability identified in a Microsoft Windows security update two-months prior, which could have been exploited as targeting intelligence. While the outbreak was curtailed by a British cyber security researcher by the name of MalwareTech, ‘albeit by a stroke of good fortune’, various organizations are still experiencing problems despite patches published by Microsoft; and newer WannaCry variants have already been discovered.
According to Microsoft, the ransomware’s global impact is arguably due to government secrecy relating to efforts aimed at weaponizing vulnerabilities, rather than fixing them. Regardless of the national security or political agendas behind the US government’s non-disclosure, that information holds no value for most businesses which are more likely to have monetary concerns. While the exact monetary ramifications of the WannaCry attack haven’t been determined yet, the outbreak itself bears a stark resemblance to the ILOVEYOU bug that plagued the world over fifteen years ago, causing billions of dollars in damages. However, despite consistent narratives about the escalation of sophisticated cyber threats, corporate executives are still ‘putting cyber security on the back burner’ – according to a research paper by Barclays and the Institute of Directors published in 2017. Warwick Ashford, the security editor at Tech Target, said that the WannaCry Ransomware outbreak is the much needed ‘wake-up call’ for enterprises to realise that security is a luxury, a luxury which will prove unattainable for corporates that still ‘lack a cyber security strategy’ in an increasingly digital business environment.
To engage effectively with future threats like WannaCry, enterprises (of all sizes) must adopt a proactive stance towards their digital security. Here are some strategies for businesses to enhance their digital resilience:
- Establish a universal risk ‘language’ between executives. While there may be obvious differences in terminology, all executives need to be on the same page when talking about risk. Corporate executives (for example, chief financial officers and chief marketing officers) focus on business risks, orientated primarily towards financial, expansion, investment, or reputational concerns. Security executives (that is chief information security officers or chief compliance officers) focus on defensive risks, orientated around network resilience, database security, meeting compliance standards, and information defence. According to Matthew Leitch, ‘the words we use…can have a profound effect…a vital practical concern that affects whether risk management programmes make headway or not’. If executives can establish a standardized risk ‘language’, mutual understanding and the realisation of the importance of one another’s contributions towards providing customers with a service or product that is reliable and secure are enhanced.
- Establish a specialised digital resilience framework unique to the objectives of your enterprise. Digital resilience today is primarily guided by regulatory compliances, national practice standards, and government sponsored schemes. While these standardised practices allow easy adoption across industries, enterprises should not solely rely on them, according to Torsten George from ISACA who suggests an alternative approach determined by calculated business and security risks. All enterprises are unique, having their own operational procedures predefined by their corporate objectives, and with limited budgets allocated to cyber security. Security should be addressed alongside other business objectives. Corporate executives should note that the standards described are only a guide to outline basic security foundations, and should expand their cyber security budgets to enable the development of a specialised cyber security framework.
- Integrate security into business design and development. Consider incorporating security into the early design stages of a product or service line. Embracing ‘security by design’ provides the key benefit of ensuring products and services are secure before they are released to the public. A prime business example is Blackberry, whose products are designed from ‘the inside-out with security as a prime consideration, and have just introduced the ‘Most Secure Cloud-Based Communications Platform’. Though the company suffered losses when compared to other smartphones, it was over the issue of recreational benefits, not security. In a world where security is an increasing priority, Blackberry’s emphasis on security-first has paid off, as it (Blackberry PRIV) was named by Google as ‘One of the most secure android phones’. The key here is to cultivate a security integration that is also unique to enterprise objectives.
- Enhance cyber security knowledge across the enterprise. The greatest threat to enterprises’ digital resilience is complacency among employees, corporate leadership and even security practitioners. Low to mid-level employees often underestimate their value as an intelligence and access resource to potential attackers, while corporate and security leaders often overestimate the capabilities of existing security products or services. To combat this, larger enterprises should consider establishing regular penetration tests and red teaming exercises. Though more established organizations might possess the resources or expertise to integrate security into business domains, the same cannot be said of SMEs (small- and medium-sized enterprises). This can be accounted for by virtual CISOs, who can provide similar services on a case-by-case basis. However, the first port-of-call for SMEs should be government initiatives (for example Cyber Essentials) or well-established cyber security consultancies (such as Secgate, Proficio etc.).