WannaCry Q&A with WhiteHawk COO Trevor RudolphWhiteHawk Inc.
The WannaCry ransomware cyber attack hit hundreds of thousands of computers around the world this month. We recently sat down with our COO, Trevor Rudolph to get his thoughts on the attack.
Q&A with Trevor Rudolph:
Why is this particular attack generating so much attention?
[WannaCry is] generating so much attention because the sheer scope and scale is pretty significant. I'd be hard pressed to think of another example that affected so many countries. It's affecting a variety of users, anywhere from hospital systems, to mom and pop shops, to individual consumers of the Internet. It's breath taking in scope and scale.
Based on your experience at the White House, how does this attack and the response compare to other attacks?
Compared to other attacks, this one's different because of the wake up call that it has created. Previous attacks have largely affected the technical community - meaning the guys and gals in your security operations center that are responding to it. When something affects over 150 countries almost at once, there is a transcendent impact.
Have you seen measurable progress in our ability to lessen the impact of these types of attacks?
It depends - more mature institutions like the Federal government or big banks have improved in their ability to respond. Federal incident response protocols are much more mature today than they were in 2014. There are other less mature organizations like in healthcare and Small and Medium Sized Businesses (SMB) that are still struggling to respond to these types of issues.
Who is being impacted by this attack the most?
SMBs appear to be receiving the brunt of this because they lack the in-house expertise to understand how this happened and how to prevent it in the future. They may not have the resources to protect themselves moving forward. If hospitals get hit, like what happened in the UK, it's potentially devastating but at the same time, the entire government is going to support those institutions. I'm not sure you will see that same response for the mid-market and that's what's particularly alarming.
Were there preventive measures that could have precluded the attack?
Absolutely - it's pretty well documented that the primary vector was through unpatched instances of XP - XP has been unsupported by Microsoft for a few years now, but they did issue a patch in March once they realized the vulnerability was there. Folks need to upgrade to the latest version of the Microsoft operating system as soon as possible and make sure their data is backed up.
If you do become a victim of ransomware, I encourage you not to pay because paying increases the chances of you being victimized in the future and there is no guarantee the attackers will unlock your data even if you do pay. The best approach is to ensure you have up-to-date software, strong patch management procedures, and robust backups.
What actions are being taken to avoid future attacks or are attacks inevitable and we need to respond to them?
More mature institutions are probably going through their current CyberSecurity posture to make sure they are prepared for the next big attack. Regardless of an organization's CyberSecurity maturity, I would encourage everyone to start by using the NIST (National Institute of Standards and Technology) Cybersecurity Framework as a road map for how to address cyber risk. As I alluded to in the Federal News Radio article, the Federal government has been taking important steps in this space for sometime. Specifically, they've been implementing the Homeland Security Continuous Diagnostics and Mitigation (CDM) program, while also upgrading the Einstein program, both of which are critical components of Federal-wide detection, prevention, and response efforts.
What worries you the most about this attack?
What worries me the most is I have a feeling that this attack was simply a dry run. I've seen a lot of reporting that is referring to this as "the big one" and that worries me because this isn't it. If we think that an attack that affected 150 countries that only asked for $300 in bitcoin, we are kidding ourselves. I think this was a dry run by whoever did this to test their capabilities and test the art of the possible in real time. It was practice for an attack on critical infrastructure and if that true big one were to happen, my fear is that it could take down the healthcare industry, including hospitals, and potentially the energy sector. The true "big one" could have a devastating impact on international security and the international economy.
Trevor was also quoted in a Federal News Radio article on 'Heartbleed vs. WannaCry: A tale of two cyber attacks.' The full article can be viewed here.