The WannaCry ransomware attack provided a rude awakening for many organisations that were unprepared for the outbreak and fallout. Organisations must now ask themselves the same question, regardless of whether they were affected by WannaCry or not: How can we protect ourselves from similar attacks in future?
Ransomware hit the headlines when the ‘WannaCry’ attack struck recently, which in a matter of days, had reached more than 200,000 computers in 150 countries. Ransomware is cited as one of the fastest-growing security risks with reported infections up 50% over the past year, according to the 2017 Verizon Data Breach Investigations Report.
With indicators suggesting increased levels and sophistication of attacks, Council Journal spoke with founder of IT security firm ISAS (Information Security Assurance Services), Conor Flynn, who has over 25 years’ experience providing information security advice to a wide range of public and private sector organisations.
Although it hit the headlines recently, Ransomware has actually been around for quite sometime but, as Conor explains “as a concept Ransomware has evolved over the past number of years and it does exactly what it says on the tin. The word ‘ransom’ is to take something you covet and to keep it from you until you pay up, or give something over to get it back. We’ve had the kidnap and ransom throughout the ages of history and that is effectively what the Malware and Ransonware authors are doing in this case.”
The Ransonware author’s plot is to get a piece of software onto your computer, through some action you take that will encrypt or change your important files, making them inaccessible to you, so you can’t use them any more.
How does this happen? As Conor explains, “it is usually done through what we call social engineering. It is getting somebody to do something they wouldn’t normally do. You might get an email saying it’s a refund from the Revenue Commissioners or something about your Apple account.
It’s very well put together, the graphics and language usually look right and it is looking for you to click on something so there is a call to action in the email. It’s either a link or an attachment, you open it and it starts to run in the background but you don’t notice anything.”
This however, is not the only avenue in which perpetrators target unwitting users online. “You can also have the situation where you can have what we call ‘drive-by hacking’ or ‘watering holes’. You can visit what looks like a perfectly legitimate website but that website has been hacked and in the background when you visit it, it is downloading the malicious software onto your machine and again kicking off the ransomware.”
At its core, constant vigilance is required to prevent such attacks being successful. Security has to be about more than just locking down an environment or restricting access, a mix of constant patching, strong anti-virus software and strong user awareness is needed. The latter most of all,
through educating users to recognise when somebody is trying to get them to do something they wouldn’t normally do.
For Conor user awareness is key, as he outlines, “we can invest all the money in technology that we want but users are one of the most important parts of this battle because they are the people who will click on the link, open the attachment or visit the site that kicks off this process.”
Beyond changing the mindset of users, organisations need to be focused on securing the business and keeping it going: minimising the risk of outages, or loss of data. “Cyber security is not just about keeping the attacks out, with exploits getting better and more money to be made, it is going to be harder and harder to keep them out, so it is about an organisation’s ability to deal with the incident when it has occurred,” he explains.
This means understanding the impact of being unable to access important information, and
knowing how quickly you can get from a ‘down’ state back to fully operational. How many organisations have an incident response process that comfortably dealt with this type of scenario?
Much like running a fire drill, Conor believes whatever your recovery mechanism is, it is important you have exercised it, you’ve proven that your resilient when an incident occurs. It is vital to have “a strong incident response plan in place to avoid ‘headless chicken syndrome’. It’s about making hard and informed decisions, early and having a plan to follow so you do no more damage.”
Conor feels the recent WannaCry attack was a good thing for the cyber industry in many respects, putting it front and centre of the mainstream media. It has been extremely in raising people’s awareness that this kind of thing goes on.
He is insistent that “people shouldn’t become complacent with what happened with WannaCry. We actually had very low penetration in Ireland, because of the way it kicked off in the UK and the way it spread, meant that there probably wasn’t that many people impacted. Because of that, I sometimes perceive there is a false sense of security creeping in. This is about constant vigilance and maintaining defences at all times in the future.”
The scale, sophistication and frequency of these attacks is incessant. From what Conor sees on a day-to-day basis, these “attacks are continuous, and the successes are virtually continuous. In the public sector every couple of weeks I’m hearing about another public body that has had a successful infiltration by a piece of ransomware. Now the effect might be limited and isolated, but it has got in passed the perimeter and that is happening every couple of weeks.”
Elaborating further, he says “if we look at 2015 and 2016, the number of public sector bodies who were significantly impacted by this was huge. We’re certainly talking in double digit percentages and that’s a massive cost. It is cost in terms of lost productivity, impact of cleanup, extra resources to prevent a recurrence or there may have been a significant data loss.”
In all likelihood, the situation is only going to get worse, particularly because of the leak of NSA-based ‘hacking tools’. The fact that they have been leaked out and freely available on the internet, hackers don’t have to be geniuses or have huge research capability, the can just re-hash and reuse what has already been developed by the NSA for espionage and spying, to create ‘weaponised malware’.
As such, constant vigilance and maintaining defences will be required at all times in the future.