Bryce Austin, CEO at Minneapolis-based IT consulting company TCE Strategy, spent most of last weekend frantically calling his clients to let them know that Microsoft had released emergency security patches for older operating systems like Windows XP, Windows 8 and Windows Server 2003.
"I told my clients, 'You need to install this patch right now ... this cannot wait,'" Austin said.
By then, the WannaCryptor -- aka WannaCry ransomware worm or WCry -- which hit last Friday, was wreaking havoc across the globe, infecting by last count over 300,000 PCs in over 150 countries. Organizations like FedEx in the U.S., National Health Service hospitals in the U.K., the Russian Interior Ministry and Telefonica in Spain were among those victimized by the invasive WannaCry ransomware attack: They and others who had fallen prey to the worm were ordered to pay $300 in bitcoin to regain access to their encrypted files. The attack started to subside when British IT expert Marcus Hutchins inadvertently discovered and activated a kill switch.
As anyone who has followed the global attack knows by now, WannaCry took advantage of a leaked National Security Agency (NSA) exploit to target unpatched Windows computers that failed to install the Windows MS17-010 patch.
"This is a wake-up call. Organizations need to have a robust operating system patching program in place," Austin said. "Without implementing the basics that we know we need to do in cybersecurity, we are essentially inviting the bad guys."
Yes, Microsoft can rail until the cows come home about the NSA stockpiling of security vulnerabilities, but that doesn't absolve organizations that fail to keep systems patched. Austin said he believes companies habitually don't see the urgency of sound security until it is too late.
Teaching moments galore
So, what are CIOs and CISOs to take away from the WannaCry ransomware attack? The lessons are manifest and multifold, according to experts.
Diogo Monica, security lead at San Francisco-based Docker Inc. and an Institute of Electrical and Electronics Engineers (IEEE) member, urged companies to adopt a process to track and assess the criticality of patches that are published by vendors, employ an automated mechanism in place that allows patches to be forcefully applied in all of the networked systems in under a week and to update to a more modern operating system on a faster cadence.
But, like a lot of things in IT, installing patches in a timely fashion is easier said than done, according to Bill Caraher, CIO and director of operations at Milwaukee-based von Briesen & Roper law firm.
"Most patches, including critical server patching, will cause downtime and could potentially break working applications or systems," Caraher said in an email. "But, sometimes, we will need to break things to fix a potential future problem -- that is a hard sell until you state the consequences like getting infected with ransomware across all systems and servers."
Cherif Amirat, CIO at the IEEE, said the WannaCry ransomware attack highlights the need for adopting both a preventive and predictive approach to security. While organizations should ensure protection of data in endpoint devices, have a robust disaster recovery plan and backups for business critical data in place, CIOs must also implement an adaptive security approach to keep up with the changing threat landscape, Amirat said in an email.
Case in point: It has now become critical that data backups are air-gapped. "The reason is that some ransomware has gotten so good, it looks for your backup files on the network and deletes them," Austin said.
Avivah Litan, vice president and analyst at Gartner, agreed that CIOs and CISOs need to take steps to anticipate evolving threats. She also stressed the need for implementing basic cybersecurity measures like application control, the principle of least privilege and updating existing endpoint protection platforms to the latest vendor version. "Don't go for the latest 'toy' when you still don't have your basics, like regular patch management, locked down," Litan said in an email.
In fact, calls for putting security basics first topped the litany of expert advice. "Awareness, backups, antimalware tools and patches. These are the basics that must continue, no matter how simple or how complicated the business or technology is," said Candy Alexander, cybersecurity consultant and Information Systems Security Association's chair of the Cyber Security Career Lifecycle. "Don't shortchange your organization by skimping on these."
Security education necessary, but insufficient
The WannaCry ransomware attack reminds organizations of the importance of practicing "good cyber-hygiene," said Bob Turner, CISO at University of Wisconsin, Madison. This includes employees being trained and retrained and trained again to not click on suspicious links. And every organization should have systems that regularly scan for existing vulnerabilities, Turner added.
"You have to have the ability to understand and properly execute against social-engineering attacks -- phishing being a big one," Turner said.
Still, education mitigates the chance of attacks, but won't prevent them. "It's important and it matters. It should be a part of any good comprehensive cybersecurity program," said TCE's Austin. But he said cybersecurity awareness training is akin to driver's education. "The world's best driver education will not prevent all auto accidents."
The solutions to the ransomware problem have to be technical and can't be dependent on humans doing the right thing, Docker's Monica reinforced.
One more thing the WannaCry ransomware attack makes clear: The ransomware epidemic is gaining traction over time. As long as there are anonymous currencies like bitcoin and people who pay the ransom, there will be threat actors out there who will deploy CryptoLocker-type malware that exploits software and hardware vulnerabilities, Caraher said.
"The bigger security lesson is that the bad guys are out there, they are testing the waters, as they say, to see how much of an impact a simple attack can have," Alexander said. "They are learning from their mistakes and so should we."
CIO news roundup for week of May 15
The WannaCry ransomware attack wasn't the only news that was grabbing headlines this week; here's what else made news:
Google lays out an "AI-first" company roadmap. The annual Google I/O developer conference this week brought news of upcoming plans for the tech giant's services, including Android OS, Google Assistant and Google Home. The use of artificial intelligence (AI) was a recurring theme, as Google announced its intentions to implement the technology into all of its consumer products. "We're talking about an important shift from a mobile-first world to an AI-first world," Google CEO Sundar Pichai said during the opening keynote. Pichai unveiled an artificial intelligence app called Google Lens, which uses smartphone cameras to analyze users' surroundings and display relevant content on their screens. The company will also publish the results of its AI research through an initiative called Google.ai, where it will share research papers and other findings. Also during the keynote, Pichai revealed that the number of monthly active Android devices now exceeds 2 billion.
FCC votes to overturn net neutrality. The U.S. Federal Communications Commission voted 2-1 Thursday to start the process of eliminating net-neutrality rules that prevent internet service providers from blocking or throttling legal content, and from accepting payment to prioritize data. "Today, we propose to repeal utility-style regulation of the internet," said Chairman Ajit Pai, a Republican appointed to head the FCC by President Donald Trump. The rules in question were adopted by the FCC in 2015, when it was headed by Democratic Chairman Tom Wheeler. Ahead of the FCC vote, a group of Senate Democrats that included Sens. Elizabeth Warren (D-Mass.), Cory Booker (D-N.J.) and Chuck Schumer (D-N.Y.) published an open letter in TechCrunch defending the net-neutrality rules the FCC passed two years ago. The senators argued that rolling back the rules would limit access to only select websites and completely block access to some internet services. The FCC plans to take comments on the plan until Aug. 16, and will make a final decision about rescinding the rules after that.
OpenAI teaching robots to learn like humans. OpenAI, a San Francisco nonprofit research lab backed by Elon Musk, has developed an algorithm allowing a human to perform a task in virtual reality that it then communicates to an artificial intelligence. The research is based on "one-time imitation learning," a technique used by OpenAI to allow software guiding a robot to mimic a physical action based on a single example. "With a single demonstration of a task, we can replicate it in a number of different initial conditions," OpenAI staff member Josh Tobin explained in a video demonstrating the algorithm. The long-term goal of the research is to give AI the ability to learn new behaviors quickly, then use that knowledge to adapt to unpredictable environmental changes.
Senior Site Editor Ben Cole contributed to this week's news roundup.