This article was originally posted on CSO Online
August 11th, 2017
By Ed Snodgrass, CISO
Chances are you’ve seen a similar image over the past several months. Either on internal systems (hopefully not) or within the countless blogs, news stories and industry journals that bombard us every day with ominous warnings and dire consequences. It is, of course, ransomware. And while it (and media coverage of it) has dominated the cybersecurity world for the last several years, it’s not new. Also, not new are the fundamental security building-blocks necessary to mitigate its impact or the fact that it represents a cyber risk.
What does seem new is the incredible amount of singular focus on these incidents around the ‘cyber watercooler’ that drowned out the broader discussion of the underlying principles comprising a solid cyber security program. In addition, the tenor of the cyber risk discussion has seemingly changed as well, from an enterprise-level conversation to a single-point conversation. Neither of these trends are positive.
The first significant ransomware instance occurred in 1989. It was coined the AIDS trojan and was released on 5.25” floppy disk. Similar to today’s modus operandi, it attempted to extort currency from victims by encrypting their hard drive and demanding payment for decryption. It was ultimately unsuccessful due to several factors, despite the lack of security in place at the time, but set a precedent with regard to criminal motivation and intent. As most companies had yet to adopt personal computing and the internet was still in its infancy – used primarily by academia and scientists – the risk and potential of malware wasn’t well understood or communicated.
Throughout the 90’s the use of personal computing and the internet grew exponentially along with the creation of standardized operating systems and associated applications. The adoption of personal computers and enterprise-level functionality increased within corporations as well, becoming the table stakes necessary to keep up with an increasingly connected marketplace.
It was during this time that a need emerged for organizations to create processes to manage and maintain their technology stack along with the need to hire internal [or external] experts to manage and refine those processes. Building blocks emerged that formed the basis for how IT and cybersecurity is run today. Identity and access management, anti-virus, firewalls, enterprise email, instant messaging, VPN, cryptography – all were developed rapidly during the technology boom of the 1990s. While security was becoming more relevant and the notion of IT security risk was beginning to emerge, the major focus from an IT risk perspective centered primarily on availability and emerging IT processes reflected the focus on that aspect.
The late 1990s (and early 2000s) brought with them a new development in cybercrime. The first significant uses of malware for financial gain began to manifest themselves within online banking applications. As waves of consumers adopted the convenience of managing their money without having to leave home or work, the criminal acquisition of credentials became both highly sought-after and increasingly more profitable. The ability to transfer funds internationally had also advanced significantly, allowing cybercriminals to exploit this threat vector quickly and without a high likelihood of being apprehended. As a result, the concept of cyber risk truly began to take shape. Losses could now be measured in hard numbers that directly affected an organization’s bottom line and the realization emerged that steps had to be taken to address these new threats.
Financial institutions and regulators responded to this realization by producing several significant requirements designed to directly address IT security and cyber risk. GLBA, SOX, NIST and BASEL, to name a few, all intended to provide some semblance of best practice requirements while allowing institutions flexibility to implement the requirements in alignment with business goals. While this didn’t specifically address the malware threat, it did begin to form the basic building blocks of a sound security program, complete with increasing consequences for not adopting some form of security process.
The mid-2000s and early 2010s brought the first ‘modern’ ransomware and the precursors to today’s crypto-ransomware. Gpcoder, Winlock and so-called Police ransomware utilized a ‘locker’ approach, requiring victims to pay a fee to unlock files or perform some money-generating action to remove malicious functionality. Police ransomware (locking the peripherals and displaying a warning screen from a supposed law enforcement agency) began to show the emerging effectiveness of social engineering. In many cases, the user’s IP address was displayed, the screens were generated in a victim’s native language and a local or regional law enforcement logo was used, adding perceived legitimacy to the attack. While these early variants were impactful, they were easily mitigated (compared to today’s efforts) due to their weak encryption and relatively basic infection methods.
Standards continued to emerge and evolve simultaneously to address these threats. In 2004, for example, the 5 largest payment card brands combined their individual security requirements into the PCI DSS, establishing 12 standards sections for accomplishing 6 objectives. While opinions vary on the effectiveness and necessity of the PCI DSS, many of the key requirements and processes in the standard outlined ways to address the threats. Encryption standards, network segmentation, vulnerability management, file integrity monitoring, training and awareness, perimeter security, etc., all could be applied in varying degrees of strength and effectiveness throughout the corporate infrastructure (not only within the cardholder data environment) to make organizations more secure.
Today’s modern ransomware emerged in 2013 and has been dominant since. Crypto-ransomware and its progressively more automated infection methods are straightforward and effective, encrypting the victim’s files using strong encryption and demanding payment using various means – most frequently today, cyber currency. Recovery from these outbreaks is much more difficult and some organizations have had to resort to reformatting their entire hard drive population to remove the infection.
This standard and threat progression has produced two additional trends. First, it made security more challenging to design and implement. Transforming enterprise architecture, for example, from a flat network to a segmented network and creating processes to deploy, manage and maintain encryption keys, were not small efforts. They required focus on people, process and technology to be effective.
Secondly, as security became more complex, effective enterprise implementation required knowledge, awareness and support from the business units within the organization. Security leaders who recognized this, and could demonstrate and communicate the necessity of security being a critical part of doing business, typically received the funding and support required to build world-class programs.
The moral of the story is that, while there’s no such thing as 100 percent secure, the processes, tools and expertise to combat the threat has been around almost as long as the threat itself. The two most recent outbreaks – WannaCry and Petya, for instance, likely could have been greatly minimized or potentially avoided altogether by focusing on the fundamentals. The fixes were there well in advance of the outbreaks. It simply took awareness and execution to address them before something bad happened.
No one can predict the future. There will be bona fide threats that emerge without warning that the industry will have to collaborate on to address. In the meantime, let’s cut through the ‘noise’, recognize today’s (ransomware) threats for what they are and how they compromise the organizations we’re responsible for protecting. Let’s focus on ensuring the foundational building blocks are in place (patching, backups, vulnerability management, etc.) and be as ready as we can be to respond to future security news that’s new.