By Elaine Ou
Malware has yet again disrupted businesses around the world, just weeks after hackers used leaked National Security Administration tools in a global cyberattack called WannaCry. The ultimate target in both cases may be people’s sensitive information—a troubling reality that should finally motivate organizations to get serious about security.
Last week’s attack was more sophisticated than WannaCry, which took advantage of a Windows exploit to infect more than 200,000 computers in 150 countries (and which cost, by one estimate, more than $4 billion). Microsoft security researchers have traced the initial infection to a Ukrainian software vendor called M.E.Doc, which inadvertently released a malevolent update to its popular tax accounting software. When customers installed the automatic update, a piece of malware obtained passwords that were then used to gain access to other machines. The so-called Petya virus then locked users out of their computers and demanded $300 in bitcoin to get back in.
The attack was hardly lucrative for its instigators. Although it affected thousands of corporate networks, the ransom address accumulated a grand total of only $9,159. Even the WannaCry ransom amounts to only $130,000 in bitcoin to date. The NSA has reportedly linked the WannaCry cyberattack to North Korea. I suppose $130,000 goes a lot further in North Korea than it does here, but that’s still barely enough for a stick of plutonium.
We’ve talked before about the economics of cyber extortion. Given the overhead costs of packaging and distribution, it’s rarely a profitable venture. On the other hand, a locked-up computer system presents the perfect cover for attackers to steal sensitive data.
The WannaCry attack targeted National Health Service hospitals in England and Scotland, perhaps because health care records contain irrevocable information that can be used for identity theft. Given that yesterday’s ransomware propagated though a tax accounting package favored by Ukrainian businesses, the most likely victims were financial account controllers doing business in the Ukraine. Notable victims include legal firm DLA Piper and shipping and transport firm A.P. Moller-Maersk.
It’s worth noting that cloud computing services like Google and Amazon, which control vast amounts of data around the world, have yet to be crippled by a ransomware attack or even suffer a known data breach. Google in particular prevents break-ins across a global workforce by implementing a strict provisioning system, in which every device is presumed to be untrustworthy.
Access management is an old-fashioned idea that doesn’t get enough attention in our hyper-connected world. In earlier generations, sensitive information was stored in locked filing cabinets located in separate offices. We’ve since digitized the data without replicating the access management. When organizations migrated from application-specific mainframes to networked personal computers (primarily to cut costs), they turned every single computer into a potential entry point for hackers. It’s like giving every employee a master key to the building.
Cloud computing has a lot of similarities to mainframe infrastructure. Users access enterprise software through their internet browsers, much as they used to access the mainframe through dumb terminals. Because individual users aren’t in charge of maintaining critical software on their personal machines, it’s much more difficult for malware to get in. This makes the whole enterprise less vulnerable to breaches.
Stories of crippling ransomware dominate the news, but ensuing data breaches tend not to surface for years. Such breaches primarily affect end users in ways that may be difficult to trace, so organizations haven’t been terribly motivated to overhaul their security and dump the universally connected computing paradigm. Perhaps the latest disasters will put more pressure on the industry to get its act together.