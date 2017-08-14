Three security experts share their thoughts on what the WannaCry ransomware attack taught us about the industry.

Raj Samani, Chief Scientist and McAfee Fellow, McAfee Raj Samani is a computer security expert who has assisted multiple law enforcement agencies in cybercrime cases, and is special advisor to the European Cybercrime Centre (EC3). He has been recognized for his contribution to the computer security industry through numerous awards.

I saw a lot of the coverage related to the impact of WannaCry, particularly within the health sector. It resonated about the significance of the work that we as an industry do. I don’t want to sound melodramatic here, but the role that we have in safeguarding society should now be apparent by more than just us. As an industry, we have been warning about the escalation in ransomware attacks and the migration from consumers to targeting businesses. Likewise, the warnings about IoT fell on deaf ears until Mirai made an appearance (although you can argue whether or not any changes actually occurred). The role we play as an industry has to be more than just simply warning about the vulnerabilities within the systems society is placing an increasing reliance on, and then sacrificing sleep to respond to the threats when they are realized. The industry came together and we saw a degree of collaboration that was unprecedented. Some of this was very visible with TweetDeck becoming a management console to collate intelligence from a variety of sources. In addition to the collaboration, we saw rapid responses from the industry to define the threat, update security products and educate impacted and concerned organizations within hours of the first reports for WannaCry. In terms of better prevention, detection and remediation, my advice would be not to accept the risk. Lack of cyber-hygiene has been cited as the reason that the propagation for WannaCry was so successful. This, of course, resulted in an angry response from individuals arguing that it’s not as simple as just applying a patch! The reality is that many organizations simply cannot apply security patches immediately, so rather than just accepting this risk, considering alternate controls could be an option. I would suggest the biggest lesson that security practitioners should take from WannaCry is to identify the appropriate sources for information. Information security professionals need to take to their boards the message that IT risk is a business risk. Boards must recognize that the reliance on digital systems is almost complete, and the myth that we can simply revert to manual operations when these systems are unavailable must now be quashed. To conclude, the CISO/security team are an integral part of your business.

Robert Holmes, VP Products, Proofpoint With over 15 years’ experience in brand and fraud protection, Robert currently drives the strategy at Proofpoint. Robert joined from Return Path, where he served as senior vice-president and general manager for email fraud protection. He has an MA (Hons) degree in Philosophy, Politics & Economics from the University of Oxford, England.

On Friday May 12, organizations around the world found that their critical IT infrastructure had been compromised in the global WannaCry ransomware attack. Hospitals, factories, railways, telecoms, electricity providers, petrol stations, shopping malls, banks, governments, police – the list of affected organizations offers a sobering insight into today’s cyber-vulnerabilities. However, it is worth considering some of the positives that came out of the WannaCry attack. First, the message to companies not to pay ransoms clearly is getting through, which is great news as we strive to starve cyber-criminals of funding. Only $89,679 of ransoms were paid to the cyber-criminals behind WannaCry (Bitcoin payments converted at the USD:BTC exchange rate on the day of payment). Some analysts reported ransoms of $150,000 but those are inflated as they didn’t consider the fact that 80% of ransoms were paid on or before May 16. Since then, the value of Bitcoin relative to the US dollar has increased by 72%. Second, it has become clear that many of the 300,000 estimated infected computers had sufficient redundancy and recovery programs to withstand the attack. The fact that 99.9% of infected computers didn’t pay the ransom (less than 250 actual ransoms were paid) means that either those computers weren’t critical, or what was on them was covered by back-up computers or processes. The National Health Service (or, more accurately, the funding thereof) also came under fire and while we clearly need to better manage the risk that cybercrime poses to critical infrastructure, we should also take some positives from the experience. Not only were critical A&E services unaffected, but normal services were restored within three days. Given the enormity and complexity of the NHS, that is a phenomenal effort. I am confident that, were the NHS to be hit with a similar attack, the lessons learned from WannaCry would see a dramatic improvement in the three-day restoration lag. Finally, it has been incredibly encouraging to witness the speed with which the cybersecurity community reacted: within just hours of the initial infection, researchers from across many different security companies had collaborated to sample, sandbox, understand and neutralize the threat. Microsoft also took the extraordinary and, in my view, laudable step of issuing a patch for XP within days of WannaCry breaking. There will be more sophisticated attacks in the future with less obvious kill switches, but it’s encouraging to know that this community is alert and ready to swarm. If we are ever to truly solve cybercrime, the whole of society needs to develop a heightened awareness of its presence and potential impact.

Brian Honan, CEO and Principal Consultant, BH Consulting Brian Honan is one of Ireland’s foremost experts in cybersecurity. Brian has advised various government security agencies, including ENISA, the European Commission and Europol’s CyberCrime Centre (EC3). Brian also established Irisscon, the annual Irish cybercrime conference.