Humans and Technology to Blame for the WannaCry Ransomware Attack
Mr Barnaby Grosvenor, Director of Cybersecurity at Jardine OneSolution
We humans and security technology both play a part in the recent WannaCry ransomware incident. Removing the human factor, the logic or emotion that compelled someone to click on that well-crafted, socially-engineered email, would have rendered us all safe today. Could it all have been avoided if someone had not clicked on that doomed email link or attachment, or, if our security vendors identified and blocked the attack before it hit us?
Who’s to blame here? Humans or security technology? The answer is both.
Human Vs. Technology
Perhaps you can train users to stop, think and analyse emails, but there will always be that one email that gets through. Companies can buy the latest security technologies today, but tomorrow, a new vulnerability might surface and penetrate what you thought was your iron-clad defence. This cycle repeats itself daily – new threats surface, new line of defences are put up, only to be taken down by another threat tomorrow.
The WannaCry ransomware indeed awakened the sleepy IT town, especially those which were still running Operating System (OS) technology and protocols from almost a decade ago. No amount of security or well-trained users were able to stop the house of cards from crashing down.
So, why don’t we just ensure that all IT systems are up-to-date with the latest patches? In my 20 years of experience, I’ve yet to come across a company that can do that! What’s more, a high percentage of vulnerabilities will only be revealed years from today. The same principle applies to Anti-Virus, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Firewalls, Routers and other security technology. At best, you are protected against a very small percentage of known malware attacks.
It’s Also About the Budget
Sadly, IT budgets for security and system upgrades continue to compete with the Christmas party budget. Business owners struggle to understand the real risk vis-à-vis their risk appetite, largely due to existing miscommunications between the8 IT teams and the Board of Directors who think their risk appetite is being met by the level of IT security controls.
The Local Story
Here in Singapore, hackers attacked our universities because they provide a major source of R&D data, and therefore are very lucrative for sophisticated cyber-criminals or sponsored hackers. Worthy of a note, our recent research shows that universities are amongst the most targeted of organisations when it comes to phishing emails attacks.
In the case for most private and public networks, once the cyber-criminal is in the network, they have a very high probability of successfully jumping from one PC or server to the next. So once the hackers are in, they really do go unnoticed whilst sniffing out the low-hanging fruit.
I believe that the incentives and payoffs were completely different for the WannaCry incident
and the NUS-NTU hack. WannaCry has so far made a mere $50,000, but a juicy piece of
university research can be worth millions. The type of hackers were also different. The
WannaCry developers were careless, evil and greedy with no conscience. They stopped
hospitals and schools from operating. The NTU and NUS hackers were more sophisticated and
patient as they only caused limited disruption.
Both incidents; however, have the same lesson to be learnt – we must all do our part by
becoming more cyber aware.
No Silver Bullet
Unfortunately, as with most problems in life, there is no panacea or silver bullet for preventing a
repeat of the WannaCry fiasco. Security vendors are still struggling to catch-up with the
hackers, and this story continues for many more years.
There is simply a need to balance risk with a bit more awareness where it matters – All we can
do is continue to seek out new technology, educate our staff to be more aware of such threats
and have our response plans smoothly-running.