Risk management lessons of the WannaCry ransomware

The crisis of the moment in cyber-space is WannaCry, a nasty piece of ransomware attacking organizations around the globe. Those unfortunate enough to be infected find their organization’s data seized, encrypted, and held hostage, only to be returned and unlocked once a specified payment in Bitcoin is made.

The spotlight on this cyber-threat du jour has sparked fresh debates on regulatory obligations and notification mandates. It also offers, once again, valuable lessons in risk management and the need to break down corporate silos.

Ransomware, an increasing problem for anyone with a computer, can be spread by various means. Phishing attacks include e-mails that look legitimate and seem to be from a known sender, but are engineered to trick the recipient into opening a malignant bit of code. Once loose, it creates an illicit data pipeline. Malware can also be embedded onto Websites, waiting for an unsuspecting right click to open the door.

WannaCry ransomware (also known as WCry and Wanna Decryptor) used e-mail to exploit unpatched hazards in outdated, unpatched Microsoft Windows operating systems, specifically XP and 7. How bad was it? Bad enough that Microsoft (which released a patch for the exploit, for newer operating systems, in March) is blaming the National Security Agency for letting one of its experiments in software subterfuge into the wild.

The regulatory perspective

On May 17, amid ongoing waves of the cyber-attacks, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a ransomware alert.

OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment companies to assess practices associated with cyber-security preparedness. Some findings that may serve as a cautionary reminder for firms:

Five percent of broker-dealers and 26 percent of advisers and funds examined did not conduct periodic risk assessments of critical systems to identify cyber-security threats, vulnerabilities, and the potential business consequences.

Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.

While all broker-dealers and 96 percent of investment management firms had a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities, some had a significant number of critical and high-risk patches that were missing important updates.

Although not related to the latest ransomware attack, the SEC has ramped up efforts to target what it sees as cyber-related negligence. In June 2016, for example, Morgan Stanley Smith Barney agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online.

In bringing the charges, the SEC relied on Regulation S-P. It requires registered broker-dealers, investment companies, and investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”

Is it a breach?

An intriguing, important question for many entities: When must a ransomware attack be disclosed in accordance with breach notification requirements?

For healthcare organizations and their business associates under the Health Insurance Portability and Accountability Act’s privacy rule there may not be much debate or wiggle room. If protected health information is encrypted due to ransomware, HIPAA’s breach notification requirements apply, according to the Department of Health and Human Services and its Office of Civil Rights.

Clarity on the matter began to emerge in June 2016 when Rep. Ted Lieu (D-Calif.) and Will Hurd (R-Texas) wrote to OCR and encouraged it to focus on guidance for healthcare providers to respond to ransomware attacks under the disclosure and reporting requirements of HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

“If a ransomware attack denies a patient access to their medical record or medical services, the patient needs to know as quickly as possible,” the congressmen wrote.

In response, the agencies advised that lacking evidence that there is a “low probability that the PHI has been compromised,” breach notification protocols are triggered and require expeditions notification to affected parties. Media alerts must be issued if 500 or more individuals are affected.

HIPAA security rule requirements that can help prevent the introduction of malware, such as ransomware, include: conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI); and implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

The advice from Pamela Passman, CEO of the Center for Responsible Enterprise and Trade: “to fight an outbreak, you need people, a process, and technology.”

“Breaches rarely occur because of insufficient technology; this is a governance problem. Many organizations react by conducting employee training. Training increases awareness but has proven ineffective at changing behavior.”
Steven Minsky, CEO, LogicManager

Monitoring is the weak link in most organizations, she wrote in a recent blog post. “The most rigorous cyber-security measures are useless unless there is a process to make sure they are being enforced.”

Protecting against a cyber-attack is not unlike protecting an organization against Foreign Corrupt Practices Act violations, according to Passman.

“Not only does every employee and third-party vendor need to be assessed to gain transparency into vulnerabilities, but it is also important to identify, assess, and manage the profusion of devices that connect to the organization’s network,” she explains. “Any party or device represents risk, and so every one of them must be included in a monitoring program.”

A checklist of advice for IT departments—as suggested by Austin Berglas, senior managing director at the investigative, compliance, and cyber-defense services firm K2 Intelligence—includes:

Patch all Windows systems as soon as possible.

Filter e-mails with zipped or otherwise obfuscated attachments.

Regularly back up systems and keep them separate from the primary network to provide a reliable back-up option in case of an infection.

Closely monitor logs and activate anomaly detection processes for user and network behavior. Review and manage logs and alerts through a central system.

Develop a software update procedure that calculates the risk and critical levels, and prioritize critical system updates.

Firms should also raise employee awareness to the danger of phishing e-mails.

“Human error is often more dangerous than technical failures. Most of the breaches and attacks you hear about are successful because they are exploiting some kind of human error,” says Berglas, a former assistant special agent in charge of the FBI’s Cyber-Branch in New York.

From a technical aspect, the attacks are due to a lack of patching, he explained. So why, if a patch was released in March for this particular exploit, were so many affected?

“It highlighted the fact that lots of organizations internationally are using outdated operating systems,” Berglas says.

Rather than reflexively blame IT personnel for slow patching, executives and directors should try to understand why the work was so delayed. “It seems like that would be a reasonable thing to ask,” he suggests. “What people don’t always understand is how complex and disruptive patching can be.”

MICROSOFT BLOG POST

The following are excerpts from a blog post, appearing on Microsoft’s webpage, by President and Chief Legal Officer Brad Smith.
This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.
Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber-security threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.
This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cyber-security attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us.
Source: Microsoft

If you run a large environment, you are getting lots of updates for lots of different software, possibly across different operating systems. Patching may disrupt existing programs, not at all desirable if all programs are expected to run seamlessly.

There is also limited time available off hours to perform updates and restart, especially with 24/7 expectations of e-commerce, Websites, and data availability. “If you take your servers offline for an hour to install updates, you are losing all that business,” Berglas says.

When you are getting bombarded with updates, how do you prioritize them? A chief risk officer or chief information security officer can help IT prioritize which patches to install, or install first. There is also the need to understand data assets and how they are connected.

“Then it boils down to what the industry calls a layered approach,” Berglas says. “There is no one silver bullet that is going to save you from any of these attacks. The CEO, CRO, general counsel, and board of directors all need to work together to mandate internal employee training on phishing and social engineering, and how to protect both the business and your personal life from these types of attacks.”

“You start with [front-line employees] because it is the weakest link,” he adds. “They are operating on the end point, and that is what is going to give the bad guys access into the corporate environment. Using the layered approach, you want to make sure individuals inside the company are only granted the access privileges they need to do their job and no more.”

The recent attacks also offer an opportunity internal training at the senior executive and middle management level.

“There should be tabletop exercises about what would happen within the organization if this occurs tomorrow,” Berglas says. “Dust off the incident response plan and business continuity plan to make sure they are integrated across all business lines.”

“It is a board-level decision on how long the business can operate at 10 or 20 percent capacity after an attack,” he adds. “Those decisions can only be made with a good continuity plan in place so you know who is in charge and understand the current environment and the risks you may undertake.”

Steven Minsky, CEO of LogicManager, an enterprise risk management provider, has a unique viewpoint on ransomware attacks: they illustrate a governance problem, not a technology problem.

“Breaches rarely occur because of insufficient technology; this is a governance problem,” he recently wrote for his company’s blog. “Many organizations react by conducting employee training. Training increases awareness but has proven ineffective at changing behavior.”

Reducing the risk of cyber-attack is no different from reducing any risk, Minsky says. It begins with identification.

“Two other important parts of the equation are access rights and asset management,” he says. “Do all employees have access to only the applications they need to perform their roles effectively? Are all assets that contain sensitive information documented and included in your company’s password policy?”

Minsky sees no need to reflexively blame IT personnel for an attack. “IT is centralized silo,” he says. “Let’s not beat them up because … they don’t actually understand the assets. They just see servers. They don’t actually see the data on those servers. It is the profit centers that know what data centers are important and which are not.”

“This,” he says, “is the gap that enterprise risk management and good governance solves.”

All of this brings Minsky back to the benefits of risk management.

“Risk management is not only about identifying problems, it is about how you prioritize the fix,” he says. “It is not about saying, ‘Oh gosh, I already have 10 top risks I’m working on. I don’t have time to add an 11th.’ ”

Take the existing risks, he says. Prioritize Break them down and prioritize them in an objective fashion. Cut the work down to the most important pieces to do and let risk management reduce both the workload and and cyber-security IT expenses.

Expensive bells whistles, in the form of specialized cyber-technology, are often used by companies as a knee-jerk response, Minsky suggests.

 “Those organization are just getting more stuff to add to poor governance,” he says. “What they need to be doing is focusing risk management efforts on the existing business continuity plan, on the existing procedures, and actually putting some risk weighting into them, so they know what to prioritize and they get the important stuff done first. Not everything gets done, but the most important stuff does.”