‘Out on a Limb’ segments are intentionally provocative conversations about popular areas or issues of risk management and cybersecurity, intended to promote discussions and thoughts about the subject.

The opinions expressed herein do not necessary reflect the opinions of Centripetum, LLC.

I get it: ransomware can be scary and expensive if one is hit.  There are many variants out there that are very sophisticated.

But in the case of Wannacry (especially for businesses) it seems like the general response should really be: you probably deserved it.

My, how sympathetic of you” you say, shaking your head at what appears to be an obvious insensitivity to another’s plight.  Hmm… really?  Shouldn’t sympathy be reserved for victims, not willing targets?

You feel sorry for the person who accidentally slips on a loose rock and falls off a shallow ledge, not the person standing on the edge of a 100 foot cliff while wearing Teflon-coated shoes, hopping on one foot, spinning madly, and performing “If You’re Happy and You Know It” at the top of their lungs.

Before we go on, let’s dampen any disdain for this position by noting the criticism isn’t directed at victimized personal users, per se.  I think you’ll find they should still be heeding the advice below, but the risks a personal user takes are a burden unto themselves.

This is expressly for the enterprises whose actions impact many stakeholders, despite having clear responsibilities to them.

*****

The most common question I get asked at least once a week is “If I don’t have enough resources to do ‘security’, what are the top 3 things you think I should be doing?”  My answer is simple, and in this order:

  1. Disaster Recovery/Business Continuity Planning (e.g., backups and system restoration planning)
  2. Software Patching
  3. Network and System Monitoring (with IDS/IPS if you can)

(Of course, I’ll caveat that by saying that a firewall and basic malware protection go without saying in my book. Many professionals don’t consider a failure to do those poor security… those failures can get classified as outright gross negligence.)

I don’t want to belabor the reasoning, so let’s keep it short:

  • A business has one critical responsibility – to keep itself running. That addresses #1.
  • #2 comes from the voluminous history of one successful attack after another stemming from an exploit that had a mitigating patch available for months, sometimes years prior.
  • And #3 follows the premise that “it isn’t if they get in, it’s when”. By this logic, it follows that it is pretty difficult to realize or respond to a threat if you are blind to the environment in the first place.

*****

So, getting back to the premise: why the lack of sympathy?  Because in the case of Wannacry, having done #1 and #2 well enough would have mitigating the impacts to almost nothing.  #3 (using a tool like Tripwire), would have flagged the event quickly as well.  Most of the time someone clicking on a bad link is going to happen at a workstation, and workstation use should theoretically be configured to be ‘expendable’.  Workstations should never have sensitive information stored on them directly, and if they do, they should be part of the backup effort.  Moreover, a workstation that was patched would have seen the attack rise and fall on itself alone.  If any important information was stored in a secure network storage location, those locations were being backed up regularly, but were still victimized, the worst case might be a loss of 24 hours of work.

Of course, no one is saying that the resultant experience still isn’t painful, but it shouldn’t be lethal.

Enterprises large and small face many risks and can have many challenges when it comes to implemented a cybersecurity-based risk management program, but #1 and #2 are basic IT functions – doing backups and patching is about simple hygiene first, and security second.  I don’t buy the argument that it’s part of a ‘cybersecurity program’ that requires exceptional skill or high cost to implement.  Even #3, with some invested time and effort, can be done for almost zero using the likes of Security Onion or other open source solutions.

If you’ve been driving recklessly for the last 50 miles, you’re unlikely to find a whole lot of sympathy from passersby when you and your car are found further up the road, plowed into the ditch on the side of the road.

Wouldn’t the same consideration apply here, too?