You really WannaCry? Digital Risk Management could have prevented it.
It seems counter-intuitive that placing responsibility for cybersecurity decisions in the hands of the business leaders, as opposed to the Chief Information Security Officers, can make organizations more secure. However, companies with strong, executive-led Digital Risk Management fared much better in the face of the recent WannaCry ransomware. Read on to find out why.
Ransomware — particularly insidious malware that encrypts the contents of computers and demands payment to restore them — is nothing new. But the WannaCry ransomware crippled nearly 230,000 computers in 150 countries on March 12, 2017 and left cybersecurity and business experts asking themselves several questions, including:
1. Could we have seen this coming?
2. Why were some industries affected more than others?
3. What is the next major Digital Disruptor?
Some of the largest impacts were reported to be from government services like the National Health Service hospitals in the UK or the German railway. These impacts go far above credit card or personal information leaks. Non-emergency services and ambulances were being refused at hospitals unable to access patient records or operate equipment. Other industries like retail or consumer services suffered similar disruptions.
In the U.S., we saw impacts to consumer-facing services like FedEx reporting compromises. But the U.S. impact has been to a lesser degree than elsewhere. So far, we have seen no reported infections at the nation’s banks.
Could we have seen this coming?
The most alarming thing is it should not have been a surprise.
EternalBlue, the suspected Microsoft exploit used by WannaCry, was not an unknown — Zero Day — exploit. It was leaked in a dump of purported NSA hacking tools by the Shadow Brokers hacking group in April and Microsoft had already released the fix to the vulnerability with a critical security update MS17–010 in March. The update applied only to supported version of Windows products (though Microsoft rushed fixes out for end-of-life products after the malware’s appearance).
Security experts had even been crowing about the dangers of SMBv1 for many months leading up to the released exploit. But businesses who failed to take heed and upgrade/patch — either because they failed to link technical exposure to business risk, or their processes were immature — fell prey to the malware.
Why were some industries affected more than others?
So how did the U.S. banks escape unscathed while other industries found themselves compromised?
Emergent CEO Earl Crane — recently featured in a Wall Street Journal Special Report on WannaCry — said, “Within the U.S. there were several mitigating factors. Operationally, the U.S. banking sector is relatively mature in cyber risk management.”
To understand why, we need to shift the conversation from technical, tactical cybersecurity to the business of Digital Risk.
Traditionally, the banking industry operates with a much more mature business risk and governance approach than do many other industries. Culturally, their employees are much less prone to clicking on phishing emails or leaking information. Naturally, when you’re a bank, you already see every action in terms of money.
Secondly, today’s typical cybersecurity approaches are often mired down in the tactical minutiae of patch-levels and firewall logs, or communicated in “traffic light” compliance charts. The CIO is provided with budget to “prevent hacks”, but not the power to make decisions about reducing a risk exposure due to business process.
Last year, the Federal Financial Institutions Examination Council (FFIEC) placed onto the executive boards the responsibility for defining and managing a “Cyber Risk Appetite.” And the U.S. Government issues an update to OMB Circular A-123, directing agencies to adopt Enterprise Risk Management practices, “…to identify new or emerging risks.” These moves forced the business risk owners to work more closely with their cyber counterparts internally in securing their systems.
The collision of operational risk and cybersecurity has created an approach, called Digital Risk Management, which uses ground-level organizational data to help business leaders make technology and policy decisions based on their organization’s exposure to top-level business risks. But it goes beyond “stakeholder engagement” and requires a new paradigm for quantifying and calculating risk.
Crane told the WSJ, that “leading firms require their CISOs and Chief Risk Officers to collaborate on strategy and regulatory response.”
More mature industries that use Digital Risk Management, like the U.S. Financial Services or even the Federal Government, are more resilient to digital risks because of these combined perspectives. Their corporate executives establish the “Digital Risk Appetite” for the enterprise and the CIO and CISO take a guidance and advisory role to the business lines, who are now responsible for their own risk exposures. As a result, business leaders are more likely to see the value of (to name just a couple) transitioning off legacy end-of-life platforms (like Windows XP) or ensuring patch management is a priority.
This is why we haven’t seen the impact of WannaCry in forward-leaning, mature organizations; their business leaders are better equipped to understand the impact of digital risk exposures and able to help the organization make wise risk decisions. This can help “shore up” their enterprises from emerging risks and make them nimbler in responding to the worst of the worst when it does occur.
What is the next major Digital Disruptor?
At Emergent, we tackle emerging risks by modeling Digital Risk Exposure scenarios using our soon-to-be published risk ontology. By instrumenting small samples of data from a client or from a public cross-industry dataset, our machine learning model determines the observed “nervousness” around risk exposures objects, like a vulnerability or particular software platforms. From there, we combine objects together to execute “what-ifs” and determine if the client or industry is likely to experience an event like the one modeled.
Ransomware was one exposure that we were specifically tracking in our clients and in industry data. What we found was an increase in nervousness in scenarios that involved specific ransomware where the enterprise modeled exhibited a low maturity in asset and patch management, but a negligible increase in ransomware nervousness for those with strong processes. Further, the Microsoft footprint made a large difference in exposure.
As expected, these more mature industries and companies appear to have emerged the WannaCry ordeal with their cheeks dry, while others either said “good-bye” to their data or coughed up the $300–600 ransom.
As a side note, those who are monitoring the Bitcoin wallets used by the attackers have noted that they have only received about $50,000. This suggests that victims have either resigned to losing the data or had stronger backup and recovery procedures. Either way, that’s a win for risk management and a loss for the attackers.
Since our models were very telling about WannaCry, we decided to look at the data and see where else we find industries to be nervous. We will dive further into these exploits in a future feature, but here are a few scenario exposures we modeled:
Along with the EternalBlue Windows exploit, the Shadow Brokers have leaked malware that could take advantage of a high-severity vulnerability in every supported version of the company’s Adaptive Security Appliance firewall. Given the footprint of Cisco across industries, we see a high likelihood that this or other-such related vulnerabilities will factor into emerging threats.
Along the same theme as ransomware, credential stuffing took an interesting turn with the Turkish Crime Family’s threat last month to reset a large number of Apple’s iPhones using compromised credential lists. This pivot away from using purloined credentials to compromise individual banking accounts and toward extortion (again, a paltry $75k from Apple), demonstrates a more sophisticated threat actor. With the Yahoo! breach, there are now many more credentials available to the actors.
Compromised networks of SWIFT Providers and Central Banks
In keeping with our work with top U.S. Financial Services industry, and given the issues with the SWIFT network in 2016, such providers and the networks of global central banks continue to be an area to watch.
Fixing a point-solution, like patch-management or inventory, might have worked in the past. But with many more exposure vectors and with highly-connected digital enterprises, mere compliance or tactical approaches will no longer protect the larger digital ecosystem from harm. Emerging risks will continue to crop up. Banks are our best example today.
“Strategically, bank leadership is ahead of the curve with emerging digital risks, as they are the ones who intrinsically understand the monetary value of data at risk,” said Mr. Crane. “For example, banks require their chief information security officer and chief risk officers to work together on strategy and regulatory response.”
Only those enterprises that adopt an executive-lead approach will be resilient enough to avoid today’s Digital Risks.