Unit VIII PowerPoint

profileanthony91
source_rm_4.pdf

56 \\ JULY 2017 \\ WWW.COMPLIANCEWEEK.COM

The crisis of the moment in cyber-space is WannaCry, a nasty piece of ransomware attacking organizations around the globe. Those unfortunate enough to be in- held hostage, only to be returned and unlocked once a speci-

The spotlight on this cyber-threat du jour has sparked

management and the need to break down corporate silos. Ransomware, an increasing problem for anyone with

-

tacks include e-mails that look legitimate and seem to be from a known sender, but are engineered to trick the recip- ient into opening a malignant bit of code. Once loose, it cre- ates an illicit data pipeline. Malware can also be embedded onto Websites, waiting for an unsuspecting right click to open the door.

WannaCry ransomware (also known as WCry and Wan- na Decryptor) used e-mail to exploit unpatched hazards in outdated, unpatched Microsoft Windows operating systems,

- rosoft (which released a patch for the exploit, for newer op- erating systems, in March) is blaming the National Security

A global hack attack that held organizations’ data hostage for Bitcoin ransoms

raises serious regulatory issues, disclosure debates, and risk management

concerns. Joe Mont has more on the worldwide cyber-security event.

{CYBER-SECURITY}

Risk management lessons of the WannaCry ransomware

WWW.COMPLIANCEWEEK.COM // JULY 2017 // 57

Agency for letting one of its experiments in software subter- fuge into the wild.

The regulatory perspective

On May 17, amid ongoing waves of the cyber-attacks, the Se- -

spections and Examinations issued a ransomware alert. -

amined 75 SEC registered broker-dealers, investment advis- ers, and investment companies to assess practices associated

» Five percent of broker-dealers and 26 percent of advisers and funds examined did not conduct periodic risk assess- ments of critical systems to identify cyber-security threats, vulnerabilities, and the potential business consequences.

» Five percent of broker-dealers and 57 percent of the invest- -

etration tests and vulnerability scans on systems that the

» While all broker-dealers and 96 percent of investment

regular system maintenance, including the installation of software patches to address security vulnerabilities, some

that were missing important updates.

Although not related to the latest ransomware attack, the -

Smith Barney agreed to pay a $1 million penalty to settle charges related to its failures to protect customer informa-

requires registered broker-dealers, investment companies, and investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”

Is it a breach?

must a ransomware attack be disclosed in accordance with

For healthcare organizations and their business associ- -

ity Act’s privacy rule there may not be much debate or wiggle

-

ply, according to the Department of Health and Human Ser-

and encouraged it to focus on guidance for healthcare provid- ers to respond to ransomware attacks under the disclosure and

medical record or medical services, the patient needs to know as quickly as possible,” the congressmen wrote.

-

conducting a risk analysis to identify threats and vulnera-

those persons or software programs requiring access.

need people, a process, and technology.” Monitoring is the weak link in most organizations, she

measures are useless unless there is a process to make sure they are being enforced.”

-

“Breaches rarely occur because

of insufficient technology; this

is a governance problem. Many

organizations react by conducting

employee training. Training increases

awareness but has proven ineffective

at changing behavior.”

Steven Minsky, CEO, LogicManager

58 \\ JULY 2017 \\ WWW.COMPLIANCEWEEK.COM

to be assessed to gain transparency into vulnerabilities, but it is also important to identify, assess, and manage the pro- fusion of devices that connect to the organization’s network,” she explains. “Any party or device represents risk, and so ev- ery one of them must be included in a monitoring program.”

A checklist of advice for IT departments—as suggested by Austin Berglas, senior managing director at the investiga-

- gence—includes:

» Patch all Windows systems as soon as possible. » Filter e-mails with zipped or otherwise obfuscated attachments. » Regularly back up systems and keep them separate from

the primary network to provide a reliable back-up option in case of an infection.

» Closely monitor logs and activate anomaly detection pro- cesses for user and network behavior. Review and manage logs and alerts through a central system.

» Develop a software update procedure that calculates the risk and critical levels, and prioritize critical system updates.

Firms should also raise employee awareness to the danger of phishing e-mails.

“Human error is often more dangerous than technical failures. Most of the breaches and attacks you hear about are successful because they are exploiting some kind of hu- man error,” says Berglas, a former assistant special agent in charge of the FBI’s Cyber-Branch in New York.

From a technical aspect, the attacks are due to a lack of patching, he explained. So why, if a patch was released in

“It highlighted the fact that lots of organizations interna- tionally are using outdated operating systems,” Berglas says.

- ing, executives and directors should try to understand why the work was so delayed. “It seems like that would be a rea- sonable thing to ask,” he suggests. “What people don’t always understand is how complex and disruptive patching can be.”

If you run a large environment, you are getting lots of up- -

erating systems. Patching may disrupt existing programs, not

MICROSOFT BLOG POST

The following are excerpts from a blog post, appearing on Microsoft’s webpage, by President and Chief Legal Officer Brad Smith.

This attack provides yet another example of why the

stockpiling of vulnerabilities by governments is such

a problem. This is an emerging pattern in 2017. We

have seen vulnerabilities stored by the CIA show up on

WikiLeaks, and now this vulnerability stolen from the

NSA has affected customers around the world.

Repeatedly, exploits in the hands of governments have

leaked into the public domain and caused widespread

damage. An equivalent scenario with conventional weap-

ons would be the U.S. military having some of its Tom-

ahawk missiles stolen. And this most recent attack rep-

resents a completely unintended but disconcerting link

between the two most serious forms of cyber-security

threats in the world today – nation-state action and orga-

nized criminal action.

The governments of the world should treat this attack as

a wake-up call. They need to take a different approach

and adhere in cyberspace to the same rules applied to

weapons in the physical world. We need governments to

consider the damage to civilians that comes from hoard-

ing these vulnerabilities and the use of these exploits.

This is one reason we called in February for a new “Digi-

tal Geneva Convention” to govern these issues, including

a new requirement for governments to report vulnera-

bilities to vendors, rather than stockpile, sell, or exploit

them. And it’s why we’ve pledged our support for de-

fending every customer everywhere in the face of cy-

berattacks, regardless of their nationality. This weekend,

whether it’s in London, New York, Moscow, Delhi, Sao

Paulo, or Beijing, we’re putting this principle into action

and working with customers around the world.

We should take from this recent attack a renewed de-

termination for more urgent collective action. We need

the tech sector, customers, and governments to work

together to protect against cyber-security attacks. More

action is needed, and it’s needed now. In this sense, the

WannaCrypt attack is a wake-up call for all of us.

Source: Microsoft

WWW.COMPLIANCEWEEK.COM // JULY 2017 // 59

at all desirable if all programs are expected to run seamlessly.

updates and restart, especially with 24/7 expectations of e-commerce, Websites, and data availability. “If you take

losing all that business,” Berglas says. When you are getting bombarded with updates, how do

- sets and how they are connected.

“Then it boils down to what the industry calls a layered approach,” Berglas says. “There is no one silver bullet that is going to save you from any of these attacks. The CEO, CRO, general counsel, and board of directors all need to work to- gether to mandate internal employee training on phishing and social engineering, and how to protect both the business and your personal life from these types of attacks.”

“You start with [front-line employees] because it is the weakest link,” he adds. “They are operating on the end point, and that is what is going to give the bad guys access into the corporate environment. Using the layered approach, you want to make sure individuals inside the company are only granted the access privileges they need to do their job and no more.”

- ing at the senior executive and middle management level.

“There should be tabletop exercises about what would happen within the organization if this occurs tomorrow,”

- ness continuity plan to make sure they are integrated across all business lines.”

“It is a board-level decision on how long the business can operate at 10 or 20 percent capacity after an attack,” he adds. “Those decisions can only be made with a good continuity plan in place so you know who is in charge and understand the current environment and the risks you may undertake.”

Steven Minsky, CEO of LogicManager, an enterprise risk management provider, has a unique viewpoint on ransom- ware attacks: they illustrate a governance problem, not a technology problem.

-

gy; this is a governance problem,” he recently wrote for his company’s blog. “Many organizations react by conducting employee training. Training increases awareness but has

-

“Two other important parts of the equation are access rights and asset management,” he says. “Do all employees have access to only the applications they need to perform

information documented and included in your company’s password policy?”

an attack. “IT is centralized silo,” he says. “Let’s not beat them up because … they don’t actually understand the assets. They just see servers. They don’t actually see the data on those

are important and which are not.” “This,” he says, “is the gap that enterprise risk manage-

ment and good governance solves.” -

agement. “Risk management is not only about identifying prob-

about saying, ‘Oh gosh, I already have 10 top risks I’m work- ing on. I don’t have time to add an 11th.’ ”

Take the existing risks, he says. Prioritize Break them down and prioritize them in an objective fashion. Cut the work down to the most important pieces to do and let risk management reduce both the workload and and cyber-secu- rity IT expenses.

Expensive bells whistles, in the form of specialized cy- ber-technology, are often used by companies as a knee-jerk response, Minsky suggests.

to poor governance,” Minsky says. “What they need to be

business continuity plan, on the existing procedures, and actually putting some risk weighting into them, so they

- ■

“Any party or device represents risk, and so every one of them must be included in

a monitoring program.”

Pamela Passman, CEO, Center for Responsible Enterprise and Trade

Copyright of Compliance Week is the property of Wilmington Group plc and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.