The latest ‘wannacry’ ransomware attack which brought down IT systems across the NHS and other organisations in May this year, has provided another “wake-up” call for the IT industry. Sadly I feel these attacks will become more frequent and will penetrate more organisations as the criminal’s tools and skills become more sophisticated and organised over the next few years.
In a Client meeting with the MD of a leading UK FS MSP this PM, we discussed if the “monthly, or quarterly periodic patch cycle” is now past its use-by date? Has the probability and impact of a virus / penetration attack now finally outweighed the risk of an outage caused by an untested patch? I think maybe so…
For those who have their IT in the Cloud, an emotional reaction to this latest attack would be to consider that your IT environment would be best brought ‘in house’ as this is the only true way to protect you from the perceived vulnerabilities of being on a shared infrastructure. For those not yet in the Cloud, perhaps your reaction is to say “Glad we were on our own kit”.
In the early days of Cloud computing, one of the biggest ‘road blocks’ for many organisations considering a migration to the Cloud would be to question the security risks. I have seen these reservations pass over the last couple of years but I do on occasion still get the question; “How secure will my IT environment be in the Cloud?”. My response is very simple “If a Cloud Vendor has a security breach, their business will most probably ‘go bust’ within a year due to the negative press, reputational damage, clients leaving, etc.”. Because of this reason, Cloud Vendors will use the best security products, employ the best security talent and have stringent third party auditing of their processes. It’s not in the Cloud Vendors’ commercial interest to skimp in this area and risk being breached. Conversely if your environment was ‘in house’, would your organisation really allocate the required budget to deploy the best tools, hire the best security staff and gain and regularly validate external certification? In most cases, the answer is ‘probably not’. I personally see the Cloud as a safer option than having IT ‘in house’.
Regardless of whether your IT is ‘in house’ or in the Cloud, every organisation must take measures to protect themselves from this new-age crime, having expensive firewalls and good anti-virus products is sadly not enough. Even the FBI advises that organisations should take the “When will I become a victim?” not “Will I become a victim?” approach. As such, I’ve listed below recommendations of what you should be thinking about / doing to give your organisation the best chance of protection:
- Implement a strict patching rollout schedule and a procedure to rollout out critical security patches as soon as they are released. The latest Wannacry security patch was released by Microsoft in March this year. Yet many organisations had to reactively deploy this security patch post the media coverage? Avoidance was more good luck than good management.
- Don’t run versions of unsupported operating systems. It seems obvious, but I still see many legacy systems running on unsupported OS’. Although the costs or technical challenges of upgrading can be substantial, security is one of the areas where having Vendor support is critical.
- Password complexity, length and change frequency. Deploy a good password management tool for shared systems that multiple people access. A further protection is to invest in single sign on tools that use the AD to authenticate against the user as opposed to multiple people sharing the same password. There are now some great Cloud based tools that can provide Single Sign-on for ALL of your applications.
- Deploy (or procure as a service) a good security monitoring service for security event and incident management (SEIM). These intelligent systems can detect for unusual traffic on your network (i.e. “That server has never spoken to that database before! Raise the alarm!”) thus providing early warnings if you’re breached (or internally compromised).
- Yearly or even bi-yearly penetration testing (internally & externally). Bring in an independent party to give you the assurance that the ingress points into your network are fully locked down.
- Use good email filtering products to detect for malicious emails. Procure a Cloud based system “in front” of your core email system for email continuity, archiving, audit trail AND mail filtering benefits.
- Use Cloud Vendors who are ISO 27001 compliant, thus ensuring they subscribe to, and are certified against industry leading standards for information security.
- Perform regular staff training and communication on information security. Social engineering is typically the gateway for most hacks. Most important – “Don’t click that web link or open that file if you don’t know what it is.”
- Similar to performing your yearly DR test, perform a yearly security test or test to simulate the outbreak of a virus. Prove that your (previously defined) processes and methods are watertight to contain an outbreak should it occur.
- Introduce a Chief Information Security Officer (CISO) or a virtual CISO (vCISO) role into your organisation to provide the needed focus this specific element of IT now requires.