WannaCrypt was it good for the security industry?

Mon, May 15, 2017

tech #security

This weekend we saw ‘the biggest cyber attack ever’ and a few people (who don’t work in IT) have asked me - will it be good for you (as I work for Irdeto - a Digital Platform Security company). It’s an interesting question to consider - these big attacks make a lot of noise, so you’d expect on Monday morning the business of cyber security will get easier! However I think the reality is a bit more nuanced.

The first big impact of the attack is everyone is talking about cyber security. This must be a good thing for the security industry, far too often, I find, people don’t take cyber security seriously. This is often a factor of how humans think, we are very bad at estimating and reacting to risks and cyber security is one of those things that seems so big and scary it’s easier to ignore it. It would be great if this morning the world was systematically analysing their cyber security risk, but I think what will actually happen is sticking plasters will be applied, it will be noted down by many as on of those things that happens, and life will continue as it always did. We will probably find some people moving to address cyber security, and I think over time governments and regulators will start treating the overall IT security of their country as something they have to worry about, but that will take several years to have any significant impact.

The next impact is patching has now gone to the top of everyones agenda. This is a good thing, and we’ll see lots of IT teams running around patching everything in sight. However in many cases this will just for a few weeks, until the fuss dies down and old (bad) habits will return. Microsoft’s decision to issue a patch for Windows XP is an interesting example. One one hand Microsoft have been excellent corporate citizens ‘vacinating’ a chunk of the vulnerable PC’s, on the other the people owning those PC’s may now have a false sense of security. Microsoft have not patched Windows XP against all it’s known vulnerabilities, they have only fixed the immediate one this worm was exploiting. I’ve seen a number of articles criticising Microsoft for their policy of discontinuing free support for Windows XP - however there is one big point in their favour - they have patched all them - the patch is called Windows 10 and for most of last year they gave it away free to anyone who wanted it (or not in some cases).

Patching being at the top of everyones agenda is not necessary good news for the IT security industry. Patching is part of a defense in depth strategy, but is far from all of it. The danger of patching being at the top is people consider once patched, the job is done, and then they’ll stop thinking about security until the next attack. As with this attack, I’d argue that people behaving that way are being negligent, but I also can see it’s a normal human reaction.

The final impact is people may actually get more slack about IT security. It seems no-one is being ‘fired’ over this attack. The UK Government have been stressing this is a [global attack (http://www.bbc.co.uk/news/health-39906019), the implication being it’s not their fault. We need some really hard questions to be asked of all the IT managers who signed off running unpatchable/unpatched systems, and the business managers who squeezed budgets to make that their only option. A cynical person would probably learn from this attack, cyber attacks are

  • Scary
  • Too hard to fix
  • And if one happens I won’t get blamed
  • Therefore I won’t try and stop them

I don’t agree with the above sentiment, as these are very preventable, at a reasonable cost, but I also know people are unlikely to stop their day-day activty to fix these issues unless there are real and visible consequences to not taking action.