WannaCry as the Regulatory Brown M&M

Risk Advisory
Written By Alex Muentz

If you were under a rock for the last few weeks, WannaCry is one of those cyber-security events that made it into regular news. If it hits NPR, that means everyone who knows me or at least strikes up a conversation at the bar will ask me my opinion.  
  
And my answers are the same as a hundred other security people who have already spoken up: Patch your boxes and do effective backups.   
  
Eat your Vegetables  
  
Backups and patch management is the cyber-security equivalent of "exercise regularly and eat a balanced diet" These don't make for sexy sales pitches for blinky boxes. The problem with cutting corners on boring fundamentals is that you aren't called on the debt immediately.  
WannaCry was a marker call for everyone who was gambling with patch management or backups. If you failed on one, you were in for some work but outsiders might not know. If you failed on both, you fell over visibly. You turned away customers or patients. You went dark while your operations team pulled all nighters. Eventually you brought it back, but you have to admit that you were a casualty. 
What's the long-term aftermath? 
I think we're going to see more ransomware. It's also going to be important for other reasons. Of interest to me, I think this will be the brown M&M that regulators and vendor assessment groups use to quickly determine the effectiveness of a company's security program.  

The Brown M&M

In the 1980's, the hard rock band Van Halen designed massive stage shows that required serious infrastructure at the concert venue. Their contract riders described the technical requirements required to support the lighting and stage. To ensure that someone actually read the document, the contract would require that a bowl of M&Ms was in the dressing room, with all the brown candies removed. If the candy dish contained brown M&Ms, there was a good chance that some pertinent detail was missing in the venue and it was time to inspect the setup.
This may seem unfair- after all, malware that encrypts volumes doesn't exfiltrate data. It's not a breach.
However, if I'm acting as an assessor or regulator, that event tells me you aren't doing the fundamentals here. Perhaps you're being sloppy elsewhere- maybe Test and Prod are the same environment. You may not be encrypting sensitive data on mobile devices. Core infrastructure could be fragile and creaky.  

So, I'll say it again. Patch your systems, do backups right so customers and regulators don't think you're a bigger risk than your competition.

Alex Muentz
Previous

Temporary Workarounds Shouldn’t Last Longer Than Permanent Solutions
Next

Roll for Initiative