Lessons Learned from 'Petya' and 'WannaCry': A Defense In Depth Security Strategy is a Must
As alarming as the scale of the Petya ransomware attack is, it isn't the first well-coordinated, widespread Zero Day cyberattack, nor will it be the last. What we often see in the aftermath of such ransomware attacks and security breaches, such as WannaCry last month, is a notable push by many security technology vendors discussing the ways their products would have prevented the event from taking place. However, after examining these attacks in greater detail, it's apparent that the large-scale impact is not necessarily due to a technology failure. In fact, the primary failure is often the absence of an effective Information Security Risk Management Program.
One of the key components of an effective Information Security Risk Management Program is identifying high risk systems and implementing risk treatment. Systems are labeled as high risk due to technical security issues (probability) and their importance to the organization (impact). Petya is infecting vulnerable airlines, banks, and utilities across Europe and WannaCry had a significant focus on medical systems that are difficult to patch and often have limited end-point security because of regulatory requirements. Risk Management would have identified these difficult to secure systems and prioritized the necessary compensating controls such as network segmentation and threat detection.
A quality Defense In Depth Security Architecture provides the necessary technical controls and an effective Information Security Risk Management Program provides the priorities to ensure it is appropriately implemented. Before your organization starts to evaluate new security technology, consider reviewing the effectiveness of your existing risk management processes and the impact that can have on your organization's security posture.