By Robert Schofield, Senior Solutions Architect, netcentrics and Thomas Cook, Senior Systems Engineer, netcentrics
Nearly one year ago, wannacry emerged as one of the most prolific and disruptive cyber attacks in history, affecting more than 200,000 computers in 150 countries. Initially, the National Security Agency uncovered the wanna cry vulnerability, but hackers leveraged it to create a crypto worm which encrypted data on Microsoft Windows operating systems, demanding ransom payments in the form of Bitcoin to unscramble the data.
Chaos ensued and although patches were issued, trepidation about recurrences lingers today, especially after the Connecticut state CIO announced in February that wannacry had recently targeted 160 computers at 11 different agencies and most recently Boeing announced that it was a victim as well. In addition, there are increasing concerns about the growth of ransomware in general, as 27 percent of organizations experienced a ransomware attack last year – more than doubling from 2016, according to research from the Ponemon Institute and Accenture.
More recently, the city of Atlanta was hit by the dreaded samsam ransomware, causing city services to grind to a halt, and leaving residents unable to pay for essential services like water. Police was forced to hand-write reports, causing efficiency to plummet. Although a response team was assigned immediately, the attack effectively crippled the city and the extent of personal data that was compromised still remains uncertain.
Given the potential impact of such a threat – from systems being compromised to the potential release of personal information – federal leaders, CIOs, and cisos should ask IT, teams, whether their agency networks and systems are adequately defended from ransomware and other forms of attack. The challenge many government agencies face is determining a single, cohesive answer from disparate sources of information.
Why? Because tools supplied to cover the three essential steps of cybersecurity – systems management, anti-virus protection, and incident scanning – deploy different technologies and techniques to report data. There is no “single pane of glass” to deliver simple “yes” or “no” answers to inquiries about whether a particular network area is vulnerable or secure. Plug in one tool and you’ll get one answer. Plug in another, and you’ll receive a contrasting response. There are as many interpretations of “reality” as there are products providing it.
In general, we have found that tools will “agree” upon about 90 percent of a cyber asset assessment. Still, this leaves 10 percent as the dreaded “uncertain” and that’s troubling. An agency may oversee 50,000 systems, after all, so 10 percent will leave 5,000 in question. It only takes one major threat to compromise one vulnerability to trigger widespread operations disruption and the loss of critical and/or sensitive data. If you deploy a dozen separate tools which come to a dozen, contradictory conclusions, then you’re just getting more confused in the process, as opposed to arriving at clear, actionable insights.
In the best of possible worlds, there would be one, authoritative database to collect all information from all tools and produce a unified, reliable report about the presence of vulnerabilities. We’re not at this point yet, but we can get there by designating specific IT teams to determine a common identifier for every tool deployed.
Examples of these identifiers include MAC address, IP address, system name or GUID and would stay consistent in each different tool. The identifier would report on data in a consistent manner about each network area and system assessed, so it can be fed into one database that will – finally – deliver “single pane,” accurate answers to the questions, “Are we protected? If not, which areas do we need to patch?”
The “single pane” solution would require automation to eliminate many tedious, time- consuming manual efforts in determining common identifiers and inputting consistent data from multiple sources into one database.
Fortunately, attaining a “single pane” state is possible. It’s a matter of “selling” the idea conceptually and then digging deeper into the necessary analytics to make it happen. Industry leaders would have to document realistic ROI projections which validate the value of this undertaking, then collaborate with government partners to set it into motion. Once an initiative transforms an individual agency for a successful business case, broader adoption typically follows.
But we should not wait for the next wannacry before taking action. If history has taught us anything, it’s that there will be another threat of equal or greater consequence and that we must proactively examine present cybersecurity tools and techniques – as well as the management of the people using them – to develop a better way to determine security preparedness by consolidating data from different tools. Through analytics and automation, we can establish the “single pane” we seek. And the resulting clarity will empower us to identify our weaknesses, and then eliminate them.
About the Authors
Robert Schofield, is Sr. Solutions Architect with a BS in Information Technology and a MS in Information Systems. He has over 15 technical certifications in various areas, including Microsoft, vmware products, and itiv3. Robert has 20 years of experience supporting the dod at an enterprise level, with 8 years of active duty in the Armed Forces. Robert has worked for netcentrics since 2007, most recently supporting the management of worldwide deployments of Enterprise Management (Microsoft System Center) capabilities to the USCG. He was previously the Technical Program Manager, supporting several customers, such as the US Army Netcom, JSP, CIA, DIA, Secretary of Defense and others.
Thomas Cook is a Sr. Security Engineer at netcentrics. With over 20 years of IT experience and involvement in the Department of Defense environment, Thomas has gained in-field knowledge and insight at several levels of the federal government. In addition to an MS in Information Technology, he has achieved multiple certifications to include Microsoft, ITIL, and CISSP. Thomas also worked to implement new technologies and improve existing software implementations with customers at NETCOM, the Joint Service Provider, the Secretary of Defense, US Coast Guard, and others.