Businesses with compliance regulations, data privacy laws, and security mandates will often admit that having these additional responsibilities can add considerable cycles to their ongoing business-as-usual functions. However, in the wake of the WannaCry/WannaCrypt outbreak, businesses following a comprehensive or mature regulatory data-security policy may be thinking differently.
A ransomware attack, such as WannaCry, has an objective to take data or systems hostage. When ransomed endpoints are also governed by data privacy and security mandates, the victim can face multiple consequences associated with the infringement of the data or systems. They may be held accountable to the protection of that data as per one of many data-privacy policies.
When it comes to compliance regulations and privacy mandates in the case of a ransomware attack, the liability and consequences to victims can often stretch far beyond the results of lost data. There have been accounts where critical data has been held hostage, copied, or stolen, during an attack and the data custodians faced addition substantial penalties.
However, the implications of increased accountability brought on by data security regulations have an upside for businesses facing exploits such as WannaCry. A company following a comprehensive data-security mandate or security program will most often be better prepared to deal with such exploits. They are often already employing many of the common security controls necessary to ensure compliance with their regulatory responsibilities keeping data safe. These businesses must be ready to prove, under audit, that the controls protecting their data are in place, functional, and more importantly, auditable. They must be able to inspect the strength and effectiveness of their data security controls at all times.
There are numerous data security and regulatory baselines throughout the globe that can help illustrate the blueprint for data security implementation. Most, if not all, have sections that help businesses close the gaps often found within the enterprise concerning data security.
Common sections that deal explicitly with mitigating security vulnerabilities that can lead to a successful attack (such as the case in the vulnerability that was exploited in the WannaCry exploit), will most always be included. There are many great baselines and standards to choose from that cover a multitude of industry segments. The NIST Cybersecurity Framework and the NIST 800-53, both contain sections that help to identify and mitigate security vulnerabilities. The Australian Signals Directorate Essential Eight and 35 mitigating strategies also applies considerable emphasis on ensuring priority patching to all operating systems. Patching makes up a large share of the essential steps in mitigating strategies.
Lastly, and one of my favorites, the PCI DSS (Payment Card Industry Data Security Standard) has specific requirements that are dedicated directly to mitigating operating system and application vulnerabilities from the scope of the enterprise. Requirements 6.1 and 6.2 of PCI DSS place importance on categorizing, prioritizing, and patching security vulnerabilities across in-scope assets.
More importantly, it also requires the implementation of compensating controls when the original control cannot be applied (an alternate security control that take the place of protecting the in-scope asset when the original control cannot be applied for business or technical reasons). When security patches can no longer be acquired for an asset it may become vulnerable to exploit if no other measure is applied. In the case of WannaCry, some of the exploits targeted a vulnerability on the Windows family that was no longer supported.
All these frameworks and standards have a common path they follow when implementing data security. They tend to focus implementation maturity on the phases aligned with a standard attack (sometime referred to as the cyber kill chain).
Carbon Black uses that same set of steps to help organizations measure the posture of their data security controls, and has been helping companies do this for many years. Our security framework is positioned to offer both exceptional security protection as well as auditable proof of continuous compliance regarding the data controls that must be inspected. I’ve included an illustration of the steps that companies can take to assess both their data security posture as well as compliance against their data privacy regulations.
Step 1. Confirm your assets. Ensure that you understand the full scope of your system assets, which ones are subject to your data policy and which assets could contain critical data. Understand what it is you need to protect and how that asset and its data may be changing. Carbon Black has solutions to provide clarity on your endpoint assets in order that you may determine how you will protect them.
Step 2. Protect data integrity. Now that you know what you have and where it is, ensure that you know what mechanisms to put in place to protect the integrity of that data. Carbon Black will help you understand and control change and therefore adhere to how change should be occurring to your critical data.
Step 3. Monitor your infrastructure against your policy. By defining the policy to measure your data security, you will be better prepared to eliminate the noise often associated with the modern enterprise. Carbon Black’s policy adherence, monitoring, and event prioritization will help collect and measure events and make decisions on actionable intelligence.
Step 4. Mitigate Threats. With an organized and smaller subset of scope, businesses can now focus on implementing threat protection, detection, and remediation. The Carbon Black solution will provide compensating controls and security-in-depth via application control when original controls are unavailable (i.e. no security patches available for unsupported OS or applications).
Step 5. Prove Enforcement of compliance and security policy. This is the step most often missed. A data-security policy will only work if you can prove that you are applying the controls. Policy enforcement and regulatory data is standard intelligence required to ensure you are up to the challenge of protecting your assets against attacks such as WannaCry. Carbon Black places a great deal of importance on this step. Unless you can prove that your security controls are active and effective, then you can never be too sure of the outcome in the event of an attack.
By taking these small steps to incorporate data-security regulatory policies with security mechanisms, hopefully businesses will be in a better position when dealing with the next wave of exploits and, more importantly, be able to eliminate the threats altogether.
These are all measures to help us deal with current threats as well as future ones, and move from a reactive stance to a proactive stance, aligned with a data-security policy or regulation that will help us stop the attack before it even has a chance to happen.