This feature first appeared in the Summer 2017 issue of Certification Magazine. Click here to get your own print or digital copy.
Earlier this summer on Friday, May 12, the media began reporting that a massive cyberattack was spreading across the globe. Within hours, computer systems in Asia and Australia were infected, followed quickly by cyberattacks in North and South America, Europe, and parts of Africa.
The fast-spreading outbreak was a massive and unprecedented worldwide attack that involved more than 150 countries and infected nearly 250,000 computers. The attack was carried out by as yet unidentified hackers using a ransomware network worm known as WannaCry.
Those with a vested interest in cybersecurity recognize that ransomware attacks are not new and have been with us for many years. Ransomware attacks using CryptoLocker and newer variants such as CryptoLockerF, TorrentLocker, and CryptoWall have netted hackers millions of dollars in ransom money over the years.
In such attacks the modus operandi is usually the same — a computer user opens a fraudulent piece of e-mail which contains a "virus," then the payload opens and encrypts the data on the computer. A message is then displayed on the computer screen announcing that the system has been "locked" and all data will be destroyed unless a ransom is paid, usually in bitcoins.
In the particular case of the WannaCry attack, the hackers utilized a vulnerability (EternalBlue) believed to have been developed by the U.S. National Security Agency (NSA) as an entry vehicle for ransomware.
Exploiting a known weakness
Perhaps the most frustrating element of the WannaCry attack is that the vulnerability that hackers exploited was known and a patch had been issued by Microsoft earlier this year. Unfortunately, the systems that were breached by the attack did not have their cyber defenses upgraded to mitigate this known vulnerability.
This is a prime example of one of the main concerns with cybersecurity: complacency and/or ignorance on the part of both users and those tasked with defending the digital systems of organizations. Time and again we hear of digital systems that have been hacked, and time and again we learn that the message has gone out to secure your systems.
Yet still no one seems to take such threats seriously. We need look no further for ample evidence of that than the hundreds of thousands of computers that were breached by WannaCry.
Since we certainly ought to be concerned with the security of our networks, how then do we begin to get people and organizations to take cybersecurity seriously? The answers lie in training, education, and creating a cybersecurity culture that embraces security.
Effective training and education
Individuals who often come up in the ranks of IT departments are skilled, but they often lack knowledge. Training equates to giving people the knowledge to accomplish a task. Those individuals who are tasked with the defense of our digital systems often receive that training in the form of certifications.
Effective cybersecurity training may come in the form of such well known certifications as:
- Certified Information Systems Security Professional (CISSP)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- Citrix Certified Professional (CCP)
- Microsoft Certified Solutions Expert (MCSE)
- Cisco Certified Networking Professional (CCNP) - Security
When properly applied, the knowledge gained through certification can greatly assist in the security of a system or network, provided that individuals responsible for protecting those systems and networks do not become complacent in their duties.
Educators and educational institutions can take effective training a step further by providing a broad-based education of Science, Technology, Engineering, Arts and Mathematics (STEAM). This education not only provides individuals with the technological background that training provides, but invests in them the knowledge base to think outside the box and anticipate the innovate inroads that clever hackers might seek to breach a system.
A culture of alertness
While training and education are a valuable piece of the security puzzle, creating a cybersecurity culture is by far the best defense for securing any digital system. Culture change gets the members of an organization, the people whose personal and work equipment more or less constitutes the front lines, heavily invested in the security concept.
This is vital because the primary reason for the failure of cybersecurity, put simply, is people. Our digital systems are operated by people, and the presence of a human element means that mistakes will be made. By some estimates, the root cause of cyber breaches is attributable to human interaction in more than 90 percent of all such incidents.
By creating a culture that embraces cybersecurity, any organization can dramatically increase its resistance to attack. A truly effective cybersecurity culture convinces the members of an organization to live and breathe security, to question each e-mail, to self-monitor, to be cyber-aware, to police themselves, as well as their peers, at all times.
The 10 Commandments of Cybersecurity
Regardless of training, education, and culture, there are always fundamentals that any user of any digital systems should abide by. They may vary in importance or implementation due to such factors as an individual's position within his or her organization. Everyone from top executives to temps, however, should religiously follow these fundamentals:
1. Install and routinely update antivirus software and firewalls. Patch, patch, patch. The lack of updating existing systems was the prime factor in the success of the WannaCry attack.
2. Remove default access settings and replace them with strong pass words and settings. At the very least use the 8/4 rule: Passwords should be at least eight characters long, and include the following four types of characters: uppercase letters, lowercase letters, numbers, and symbols. Also, change passwords often.
3. Routinely back up important files, especially your "crown jewels." Should you become the victim of a ransomware attack, having a recent backup means you are at least somewhat protected.
4. Control access to your data. Not everyone needs the same level of access, so use the least privilege rule: Users, programs and processes should only be able to access information and resources directly necessary for their legitimate (organizationally approved, or otherwise appropriate) purposes.
5. When opening e-mails, use a questioning attitude. Phishing and spear phishing e-mails can strike any level of an organization and top executives are not immune.
6. Beware of Social Engineering and question any suspicious request via telephone or other media that asks for passwords or access to information. Hackers and Social Engineers are extremely clever in coercing employees into innocently conveying or revealing information that shouldn't be shared.
7. Practice internet safety. It is now commonplace for employees to access the internet at work. Make sure the websites you visit are secure, and avoid clicking on links that are suspicious in any way.
8. Check employee mobile devices at the door. This may seem tyrannical, or despotic, but it makes little sense to fortify your system defenses against outside attacks, and then allow infected mobile devices to attack from the inside. At the very least, access to organizational resources by personal devices should be monitored and password-protected.
9. Use caution when using public wi-fi. That innocent wi-fi site you are thinking of accessing may not be all that innocent. Also, if a network provides open access to anyone within the reach of its signal, then you aren't the only one able to connect.
10. Limit what you share in social media and on your organization's website. Hackers constantly troll social media sites for information they can file away for future use or to leverage upwards. Share as little as possible in your personal profiles and on your company's website.
We're all in this together
As recent headlines have shown us — and will certainly continue to show us — it is very difficult to secure a digital system from those with malicious intent. High-profile banks, movie studios, major retailers, government agencies, and even the White House has been hacked by bad actors.
All indications lead to the uncomfortable fact that the intensity and sophistication of cyberattacks like WannaCry will increase into the foreseeable future. To forestall cyberattacks, the users and defenders of our cyber systems must coordinate their efforts at securing their systems.
This coordination must include certifications, education, and a determined effort on the part of all members of an organization, from top to bottom, to embrace a corporate culture that is self-monitoring and strives for nothing less than perfection in its cybersecurity. Somewhere in the future a magic bullet may be developed to secure our systems. Until that happens, however, the watchword is: awareness.