Cyber Due Diligence - Responding to WannaCry

Businesses worldwide have been impacted by WannaCry/WannaCrypt, the largest ransomware attack to date. Multiple bodies have issued warnings on the subject, and at time of posting, SEC has just issued a Risk Alert in response to an attack which has, to date, compromised more than 200,000 computers in over one hundred countries.

What are the takeaways for the asset management industry, and particularly for investors responsible for due diligence on their external managers? 

For due diligence practitioners, our guidance is practical – key (and straightforward) IT management policies such as awareness training, patch management and backups can protect and / or minimize impact on asset management firms due to this type of opportunistic ransomware.
 
What is WannaCry?
 
Ransomware is one of the most common threats in the cyber landscape – usually taking the form of a Trojan attack, where the malicious payload is disguised as a legitimate file. Once infected, the target machine’s contents are encrypted, and a ransom payment is demanded, typically in an untraceable digital currency (bitcoin), in exchange for the decryption key to ‘unlock’ the victim’s files and folders. Such attacks typically do not include any actual data exfiltration – the attacker has not retrieved a copy of an organization’s sensitive data, they have merely prevented the victim(s) from accessing the files, in place, on their own machines. To draw an analogy – nothing has been removed from your safety deposit box, but the attackers have replaced the lock, and you’ll have to pay handsomely for the new key. In the specific case of the WannaCry attacks, the malicious payload also made use of a known vulnerability in Windows’ Server Message Block (SMB) file sharing protocol, allowing it to propagate itself to other machines on closed local networks.
 
Three key areas of focus emerge from the analysis of the attack, which, if proactively addressed, can greatly reduce an asset manager’s exposure to such attacks: infiltration (awareness training), vulnerability (patch management), and data redundancy (backups).
 
Awareness Training:
Though it has not been positively confirmed to have been the initial point of infiltration in the case of WannaCry, the vast majority of ransomware, malware, viruses and other malicious exploits are introduced to an end machine manually – a phoney e-mail attachment or a file downloaded from a compromised website is executed by the user. To your security team’s great dismay, hardware and software security measures can absolutely be circumvented by social engineering and phishing attacks. The individuals and organizations attempting to compromise IT systems know that employees are often their easiest path onto a network, so comprehensive, thorough, and up-to-date training and testing programs are essential. An asset manager should be able to demonstrate that they work to train their employees to think critically about e-mails they receive, websites they visit, and USB storage devices they may discover. IT and information security teams will implement as many protections as they can, but if ownership of and accountability for cybersecurity is limited to those departments, they will fail.
 
Patch Management:
WannaCry was first reported on May 12, 2017, propagating itself between machines on a local network by exploiting a vulnerability for which Microsoft had issued a critical patch to modern operating systems on March 14th – two months prior. For organizations running Windows versions 7, 8, 8.1 & 10, this is a vulnerability which should not have been exploitable at the time that WannaCry hit. Brad Smith, Microsoft’s President and Chief Legal Officer, writes: “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.” Some organizations who had been compromised, such as Britain’s National Health Service, were vulnerable because their endpoints were still running Windows XP, which has been out of extended support by Microsoft since April 8, 2014. While there may be legitimate business reasons for maintaining legacy operating systems (custom software, regulatory requirements – in the case of medical devices), it must be forefront on an IT team’s radar that these machines pose enormous security challenges, and they should be isolated and associated risks mitigated appropriately. Thankfully it is rare (although not unknown) for asset managers to run such out of date operating systems.
 
Overall, focus and emphasis must be placed on timely testing of security patches as they are released. Regular updates to owned systems must also be enforced across the investment management organization.
 
Backups:
Ransomware is only one potential threat to an organization’s data. Endpoints and servers can become physically damaged, storage media can fail, data can become corrupt, and files can be deleted or modified as a result of inadvertent user error or malicious action (in the case of a termination or an otherwise hostile employee). If asset manager data exists on a single drive or on a single server, not only is that firm unduly vulnerable to a malicious ransomware attack which removes access to that single repository, the manager could also be exposed to any number of scenarios in which they suffer critical damage at a single point of failure. Business-critical data must be backed up, and those backups must be tested – as the saying goes, “You haven’t actually backed up until you have restored”.
 
In today’s world, unfortunately, the most prudent posture to take is to assume ‘when’ and not ‘if’ an asset manager (and an asset allocator) will experience a cyber attack. ‘Security by obscurity’ is a doomed strategy, as many cyber attacks aren’t targeted or focused on a single organization – particularly in the case of a ransomware attack, which, once authored, is relatively low-effort on the part of the attacker – the exploit is released, and the threat actor waits for the victim(s) to reach out to them with payment in exchange for a decryption key.
 
Asset managers entrusted with investor assets should plan for the very worst case scenario. Above all, on a regular basis, managers should test their recovery plans – as George S. Patton is credited with having said, “The more you sweat in peace, the less you bleed in war.”