30 June 2017

Freedom Instead of Fear

Mark Kuhr

This week the adversary stole headlines again with yet another ransomware attack. As the West Coast was waking up on Tuesday morning, reports of a new ransomware targeting servers at Russia’s biggest oil company, disrupting operations at Ukrainian banks, and shutting down computers at multinational shipping companies, advertising firms, banks, and power grids dominated headlines. Bearing similarities to the Petya attack in Ukraine last year, the attack was nicknamed NotPetya and gave companies and government agencies around the world a bad case of déjà vu.

In fact, the NotPetya attack was carried out using the same EternalBlue exploit as WannaCry. Although Microsoft had pushed a patch for the vulnerability in Windows SMB, Tuesday’s attack revealed just how many systems remain unpatched and vulnerable.

If cyberattacks were not on your list of top risks to your organization, chances are they are now. Michelle Crorie, a partner at law firm Clyde & Co. that specializes in cybersecurity issues commented, “Data breaches and cyber hacks are one of the biggest risks facing business worldwide. The WannaCry attack and now Petya clearly demonstrate that hackers do not discriminate which type of business they are targeting.”

Yes, this is true. The adversary is creative and dynamic. As we’ve seen recently, cyber incidents are becoming increasingly high-profile in the public sphere. But businesses and government agencies do not need to live in a state of fear. The attackers may be changing the rules, but we can change the game. Here’s how:

  • Get a realistic view of our systems’ hardness – There’s no need to wait until after an attack to bolster our defenses. Using an offensive approach to defense that mimics an attack can reveal unknown security weaknesses in our systems.
  • Don’t give the adversary the easy win – If there’s a patch, we should patch immediately, and then verify that the patch has truly plugged the gap. An attacker only needs one vulnerability to succeed, and our experience shows that patches fail at least 15% of the time.
  • Test continuously – Attack surfaces are always changing, so we should always be testing them. By continuously testing high value assets, a vulnerability can be spotted as soon as it comes online, rather than being left for the adversary to find.

By taking these steps, we can get peace of mind from knowing that we are making it extremely difficult for the adversary to find a way into our systems. When we step out of fear and start dealing with security realistically, we move our organizations forward. It’s time for businesses and government agencies to live in freedom instead of fear.