Security Central: WannaCry Ransomware, Microsoft Implores Government to Regulate IoT

Written by Allison Francis
May 18, 2017

This week’s Security Central takes a look at the WannaCry ransomware, examines Microsoft’s IoT plea to the government, and peeks inside a revealing Code42 study about corporate bosses and data security.

It was the ransomware heard round the world. The WannaCry virus burst onto the scene last Friday, wreaking havoc on major organizations like FedEx, the National Health Service (NHS), Spain’s telecom company Telefonica and others, according to Fortune. It was all shut down, though, when a cybersecurity researcher from the U.K. known as “MalwareTech” discovered a “kill switch” in the software, effectively containing the spread of the attack.

The attack has thrown into sharp relief the undeniable need for governments and organizations to beef up their security infrastructure, a badly-needed and overdue fix. In addition, it’s a call to mandate security updates and educate lawmakers about the intricacies of cybersecurity.

To articulate that argument even further, experts are saying that new versions of the virus are expected – ones that may not be so “easily” shut down. In Friday’s attack, the infected computers for the most part appeared to be out-of-date devices that organizations had deemed not worth upgrading, and in some cases, manufacturing or hospital machines with functions too difficult to patch without disrupting crucial operations. (As reported by Wharton School of the University of Pennsylvania).

Michael Greenberger, law professor at the University of Maryland and founder and director of its Center of Health and Homeland Security, says that the attack brings to light the dangers of using outdated software. “As the devastation of these events takes place, you are going to see more insistence on the following of practices that keep software updated,” says Greenberger. “Mandating that certain software be [updated] may sound rough to the ear, but when you see people dying on the operating table because the software is inadequate, [such mandates will] become much more acceptable.”

Experts everywhere are stressing the extreme need for software updates and patches, and the dire consequences if these systems go unchecked/untouched. As if WannaCry wasn’t enough of a wake-up call… Even further, some experts are saying that old school anti-virus methods just won’t cut it anymore.

“Traditional anti-virus that relies on signatures and patches is dead, and the WannaCry malware sweeping the globe is the proof,” says Melih Abdulhayoglu, CEO of Comodo. “The only answer to stopping malware is to start virtualization for hard drive, registry and com interfaces of unknown executable files as soon as they hit the device or the network.” Yet another lesson to drive home the point for vendors to make sure their products have all the appropriate cybersecurity safeguards in place.

Our second story touches on two of our most talked about topics at once – Microsoft and the Internet of Things. It’s almost silly at this point to say that the IoT is growing rapidly. This is not new information. It’s also not new to say that there is a great need for the development of cybersecurity policies to support the rapid growth of the IoT. However, now Microsoft is putting its weight behind the concept, and is calling on the government to to get involved.

According to Talkin’ Cloud, the tech giant is urging the government to regulate privacy and security in the IoT market, a huge growth area for the company’s cloud business.

Sam George, Microsoft’s director of engineering for Azure IoT, stated on Tuesday during a panel at IoT World that government will have to get involved in IoT security. As companies clamor to push their products in the hot new(ish) IoT market, security is, inevitably becoming one of the biggest challenges in the budding space. Currently the “bar is low” for IoT security, George said.

There are a few federal agencies that already regulate some areas of the IoT market, according to a comprehensive report on IoT by the Government Accountability Office released earlier this month. Both federal and executive branches of the US government have been considering regulation of IoT devices or data, and ongoing efforts are occurring to review/asses the government’s role in IoT.

Johnson & Johnson CIO Stuart McGuigan states that the increase in and severity of large-scale attacks means regulation in the IoT space is inevitable. As the number of connected devices continues to grow at a dizzying pace and attacks get more advanced, there will very likely be a demand for laws that will govern the way IoT networks are handled and protected.

Our last story takes a look at a study recently conducted by endpoint data protection company, Code42. On Tuesday, the company released the results of its CTRL-Z study that compares behaviors and concerns on cyber security between business decision makers and IT decision makers. Some of the top findings include:

CEOs are top perpetrators of shadow IT and they know it’s a risk

75% of CEOs and more than half (52%) of business decision makers (BDMs) admit that they use applications/programs that are not approved by their IT department
This is despite 91% of CEOs and 83% of BDMs acknowledging that their behaviors could be considered a security risk to their organization

Business decision makers are now more concerned than IT leaders about a major data breach

51% of business decision makers have had a security breach within the last 18 months, and of the 45% that haven’t had a breach 88% said there is a risk of one going public in the next 12 months
Yet, IT decision makers are more confident. According to this group of respondents, only 45% of companies have experienced a breach in the last year and a half, and of the 50% that haven’t only 18% believe there is a risk of a breach that could go public in the next 12 months

The majority of Business Decision Makers choose convenience over security

Almost two thirds (65%) of BDMs would use an unapproved program/application because it would improve their productivity, over half (52%) would do it to make their lives easier and more than a quarter (27%) would do it because they don’t believe IT knows that it takes to get their jobs done
At the same time, 83% of business decision makers admit that their actions would be considered a security risk to their organizations

“Modern enterprises are fighting an internal battle between the need for productivity and the need for security,” said Rick Orloff, VP and CSO at Code42. “By using unauthorized programs and applications, business leadership is challenging the very security strategies they demanded be put in place. This makes it clear that a prevention-based approach to security is not sufficient; recovery must be at the core of your strategy.”

The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.