When NotPetya, Petya, Ryuk, SamSam, WannaCry, CryptoLocker, TeslaCrypt, among many other variants of ransomware, are so frequently addressed in popular media and covered on shows like 60 Minutes, you know we’ve got problems. Ransomware is not only in the spotlight of popular media, it also has the attention of executive stakeholders in organizations. This presents an interesting opportunity for CISOs.
Recently publicized cases such as those for the cities of Atlanta, Baltimore, and Albany – let alone a number of others incidents across municipalities in Florida – along with the frequently cited and historic examples of Hollywood Presbyterian and Maersk – suggest that ransomware is a symptom of a larger issue. Too much of our infrastructure is vulnerable to ransomware and other cyber attacks. The “standard” of “reasonable security” is clearly not being met.
Without getting into the technical details of how ransomware works, it’s important to note that these attacks exploit vulnerable IT infrastructure and many of the protocols used in common applications and operating systems. In many ways, the current challenges with ransomware are reflective – analogous – of broader concerns with infrastructure across the country. When systems are not maintained correctly, they become vulnerable and prone to failure. We see this in our nation’s critical infrastructure including notable examples such as the bridge collapse in 2007 in downtown Minneapolis that took the lives of 13 people and injured over 100. My prayers are with those families.
More than ten years after this tragic incident, much of our country’s critical infrastructure remains brittle and will continue to fail resulting in injury and the potential loss of life. The risks created by ransomware can have similar impacts. As more operational technology (OT) gets connected to traditional information technology (IT) networks, system failures will impact the physical world. This is happening now with connected devices and the growth of IoT. My fear is that the consequences of security failures will result in the loss of life. This is a game changer.
Imagine a ransomware attack that locks the controls of autonomous vehicles or blocks access to medical devices. The scenarios are many and the consequences are real. Media coverage to date has focused on financial costs including ransom payments and/or the direct and indirect costs of remediation following an incident. Think of the media coverage when there’s attribution that a poorly configured device or application resulted in physical harm or death. Our world will change and quickly. The disclaimers of warranty and limitations of liability that are associated with so many of the products we use will likely not survive resultant class action lawsuits. The consequences of IT infrastructure administration and application and product design have never been higher, but similar to our nation’s physical infrastructure, there is significant technical debt (effectively an unfunded liability) that needs immediate attention.
Clearly, ransomware is a real and present danger to organizations of all sizes and in all sectors of our economy. So too are the numerous other security risks faced by our organizations. Many of us who serve as CISOs recognize that there will never be perfect security and we have to assume that our organizations will continuously confront security incidents. Our objectives are to quickly detect and mitigate these risks and to make our organizations more resilient (the ability to withstand security and other incidents and keep risks within agreed-to parameters). In this context, the topic of ransomware offers us a great opportunity to take pause and evaluate just how prepared our organizations are to confront these exposures. Incident response planning has never been more important.
I would like to change how we think about ransomware. This current media attention on recent cases offers us an opportunity to evaluate the resiliency of our IT infrastructure and the efficacy of our security programs. We all recognize that we need to maintain our systems, harden our configurations, and patch more timely (effectively security hygiene). This is what we’re paid to do. Too frequently, however, our requests for resources to help secure our infrastructure and make it more resilient are not adequately contextualized to organizational priorities. Bluntly, non-IT and non-security stakeholders don’t fully understand the enterprise risks of not doing the basics well and not funding the resources required to make the organization more secure and resilient. The result, technical debt accumulates. Similar to our nation’s infrastructure, much of the enterprise IT infrastructure we are expected to manage and secure is fragile…subject to exploits and breaches. Too frequently, executives don’t understand these risks and cannot adequately link cyber risk to impacts on organizational strategy and goals. As CISOs, we’ve failed these stakeholder in not conveying security risks in terms they can understand.
When security incidents affect the bottom line, expose the organization to legal and regulatory demands, negatively impact operations and damage an organization’s reputation, executive management and the board will take notice. Frequently, given media attention, CISOs are asked “Are we secure?” This questioning would be better served if it were “How resilient are we?” That’s a question a CISO would love to explore with executive management and the board. The current attention created by highly publicized ransomware incidents should serve as the impetus for stakeholder discussions on organizational resiliency. CISOs and CIOs need to ensure that these discussions are not laden with technical jargon and “the sky is falling” scenarios. We need to explain the benefits of resiliency and preparedness in terms that other members of the C-Suite can relate to and importantly contextualize and directly link to their organizational priorities.
The good news is that our ability to make our organizations more secure and resilient has never been better. We’re seeing advancements in security orchestration automation and response (SOAR) technologies as well as innovative approaches to security visualization and analytics that surface security issues and poorly configured environments in a more intuitive and near real-time manner. That’s empowering. Similarly, improvements in enterprise backup and storage systems mitigate risks to data. Our security toolbox has also improved and covers the proverbial full-stack of infrastructure ranging from code development to in-production applications. Cases in point include a number of preventative capabilities ranging from enhanced endpoint protection, network detection and response (NDR), endpoint detection and response (EDR), web application security, network segmentation, identity and credential management capabilities, network access control (NAC), deception technologies, and even security awareness training – including many popular tools that phish end users to raise awareness. CISOs have never had such a suite of capabilities before. Obviously, these capabilities require access to trained personnel and the budget to leverage these tools.
CISOs today have reason to be cautiously optimistic…we have board and executive attention on our security programs and access to tools and capabilities that are more effective than ever. We still have to deal with the skills shortage our profession faces but our knowledge of adversarial behavior has improved notably thanks to MITRE’s ATT&CK framework and insights on the tactics, techniques, and procedures (TTPs) of those trying to harm our organizations. CISOs should exploit – pun intended – media attention on ransomware to have more open and direct conversations with their colleagues in the C-suite and the board and use this opportunity to drive a business-aligned resiliency agenda. If the topic of resiliency is not on your next meeting agenda with fellow executives, it’s time to add it now. Make resiliency a standing agenda item and ensure that incident response preparedness includes not only the IT and security teams, but stakeholders throughout the organization.