Spring is a time of rebirth, but for cybersecurity last year, it delivered a crippling blow that continues to have serious ramifications. Thanks to a couple computer exploits stolen from the U.S. government, the WannaCry cyberattack in May affected hundreds of thousands of computers worldwide, and caused estimated collateral damages of up to $4 billion.
It’s very likely that more nation-state and military-grade capabilities and exploits will be stolen, exposed, and released, especially as the cost of cybercrime continues to drop, and the skills necessary to carry out these crimes are easily rented on the Dark Web.
WannaCry, NotPetya, and other blockbuster cyberattacks have spread beyond the usual targets of businesses or governmental organizations to victims who are presumably tangential to attackers’ primary goals. More than ever before, these attacks are impacting consumers. And their rapid spread, scale, and breadth heralds a future where this is the new norm.
This should be a wake-up call for all organizations and the security teams that defend them: They need to find better ways to secure their systems and, by extension, consumers. They need to stay informed, expand their thinking and testing, and act quickly to direct their defenses before the next news headline targets them and those they aim to protect.
Historically, organizations perceived themselves as safer from certain types of attacks, and they adhered to a schedule of patching and updates released by their vendors. When planning to tackle security problems, they focused on prioritizing the myriad risks they face. This meant identifying, exploiting, and patching vulnerabilities, most often through penetration testing or red teaming.
The current paradigm shift in cyberattacks should prompt organizations to think differently about vulnerability assessment. And the first step is recognizing that today, we are all in this together. No one is safe, and reactions to threats must be swift.
Consumers are not wholly off the hook, of course, but organizations—from companies to government agencies—bear the most responsibility here.
Look at the Mirai campaign, which hijacked hundreds of thousands of consumer home devices such as Wi-Fi routers and video cameras. They were vulnerable because there were more than 60 device types that had default usernames and passwords. You could blame consumers for not updating the credentials themselves, but it’s very easy for manufacturers to provide device-unique credentials. And in some cases, consumers aren’t given an option to update them.
The best solution for consumers is, whenever possible, to personalize log-in information, check for and update patches regularly, and ensure that devices are behind a personal firewall, which can prevent simple, scripted fingerprinting. But ultimately, organizations should be held accountable for the security of the products and services they sell and support.
The “just patch your systems” advice—commonly doled out to consumers and businesses alike—is easy to say but hard to follow for large, complex organizations that have numerous variables and configurations to validate before rolling out a significant change. System administrators are generally willing to roll some security dice before taking their systems offline. And critical-infrastructure systems such as power plants, and water and sewage treatment facilities, are designed to operate for years with near-zero downtime. They may not even be patchable.
Fortunately, information about new leaks becomes democratized “buzz,” commonly and quickly available. There is value in such pre-emptive knowledge; directed defensive measures can be launched before new threats are used.
Organizations, for example, can immediately factor new exploits into ongoing penetration-testing activities to understand how they affect their IT infrastructure—and ultimately the consumers they serve. They can expand their red-team playbook activities to include brainstorming sessions on out-of-the-box scenarios and responses to new threats. And importantly, they can keep corporate leadership in the loop.
There are hard costs to assessment programs, and each organization must determine the appropriate trade-offs between the risks and costs it is willing to tolerate. Penetration-testing costs generally start at $20,000, and red teams start at $50,000 for basic services. They scale up from there.
Proactively engaging an organization’s leadership will help secure resource investment proportional to the threat. That’s more than just cash: Organizations need to invest in becoming more aware of newly leaked threats and exploits, and in improving their ability to quickly test exposure and quickly respond.
But first, they must acknowledge that they are not safe.