Last 12th May there was a cyber attack on a global scalebased on a virus/malware that combined file encryption abilities andextortion (ransomware) with self-propagation(worm). The ransomware component is called WannaCry and the propagationcomponent is based on a technique/tool developed by the NSA - an US securityagency - that is called EternalBlue, which fell into the hands of criminals.The attack was staged simultaneously around the world and affected hundreds ofthousands of computers in more than 100 countries.
Themalware explores vulnerabilities in the Windows operating system to infectother vulnerable computers on the same local network as the machines that wereoriginally infected, moving at high speed with massive propagation. Thevulnerability that this version of WannaCry explores is based on fragilities inthe file sharing subsystem, that had been announced and corrected byMicrosoft itself on 14 March 2017, showing that many institutions around theworld do not update their systems often enough.
Generally, the impact of this malware, or similar ones, can beassociated with various causes:
1.Problems with business sector employees' awareness/training - Workers clickingon attachments of "suspicious" emails is often how the malware entersthe institutions. In this specific case,this possibility can almost certainly be dismissed;
2.The speed of companies applying patches or corrections from Windows or othersoftware companies - A slow response in applying these patches or correctionsmay leave a company unprotected. Regarding this specific instance, it isundeniable that this was the root cause of the problem in all the institutions;
3. Companies' ability to detect that they are underattack - The paniccaused by the unknown and the lack of visibility of what is going on in thenetwork and the world in general, leadsto institutions taking exaggerated measures, with an impact on the brand andthe business. In this specific case, many institutions ordered their workers toswitch off their personal computers and cut access to the Internet throughoutthe organisation.
Considering the above, various practices should beimplemented to avoid being infected by malware like WannaCry. The latestupdates to operating systems should be applied often, and there should beconstant monitoring of alerts and various internal indicators on theinstitutions' networks - as well as what is reported by the community regardingother organisations - and the constant review of threats and their riskmitigation actions.
These practices depend on building an 'intelligence'structure in the institutions, where decision making depends on recollecting,processing and analysing information from various sources, both internal as external. Ibelieve that the pressure caused by the security incidents due to the inabilityto respond quickly will force companies to provision proper meansand resources. Likewise, institutions that have Strategic intelligence or Competitive Intelligence teams will alsostart to have Cyber Threat Intelligence teams (or outsource them).
VP of Strategic Marketing atS21sec