To say that financial services sector and other information technology (IT) security professionals have been busy lately would be an understatement.
During the past two months, major ransomware attacks, coming just weeks apart, hit global businesses, non-governmental organizations and governments. The Wannacry and NotPetya cryptoworms leveraged a security exploit that enables hackers to execute arbitrary code on targeted computers.
As a security professional, the most frustrating part is that the attacks were preventable. Microsoft Corp. had released a security patch months before Wannacry hit. Yet, many organizations, which were too slow to install it, paid for their sluggishness. These included the U.K.'s National Health Service, which had to temporarily turn away non-critical emergencies and ambulances.
Even the widely publicized WannaCry attack wasn't enough to convince everyone to patch — or upgrade — their systems. This, in turn, left many others vulnerable to the NotPetya virus, which hit just a few weeks later.
So why did so many IT teams fall short?
One reason relates to the high cost of updating legacy software systems, which generally have unpatched security holes. A prime example is the Windows XP operating system (OS), which still holds a market share of almost 7% and still runs on many financial advisors' computers.
Microsoft no longer supports Windows XP. As a result, many users were unaware that the company had released a WannaCry/NotPetya patch. In fact, whether Microsoft will release patches for future security holes for this 16-year-old OS is unknown. Hence, the importance of upgrading is an onerous burden that all businesses need to confront.
A new Windows licence can cost around $140 per user and Windows XP users, who paid cash for lifetime licences, are naturally reluctant to cough up the extra dough. Worse, software upgrades generally require additional staff training, testing and deployment costs. Those costs add up because many businesses run scores of software packages and applications.
The upshot is that IT security professionals in the financial services sector need to conduct rigorous cost-benefit analyses regarding whether it's worth it to keep legacy "paid for" software on their networks when the associated security vulnerabilities are taken into account.
That said, performing detailed risk assessments of software security vulnerabilities is not easy. Although there are several excellent risk-assessment framework tools on the market, ranging from Mehari to eBios and OCTAVE, they're often complex and hard to use.
Many smaller IT departments streamline the process by detailing the risks on a simple Excel spreadsheet. These sheets generally include columns that list: software assets; items that could affect them negatively; how often this might occur; and a projection of possible impacts — financial or otherwise.
Once the impact of a ransomware attack is calculated, IT security managers can then compare it to the overall cost of upgrading. One thing is certain: the recent multiplication of cyberattacks suggests that the probability assessment portion of those equations just increased.
I recently learned about the results of a software inventory assessment that a colleague performed. The business he worked for identified 2,000 different packages and applications — individual programs and different version combined. That's a lot to keep track of.
Worse, corporate networks and software stacks are highly complex. Applications are rife and the popularity of freely available open-source solutions means we see software interoperability that we couldn't have imagined a few years ago. This increases IT protection challenges dramatically.
In my opinion, overall IT solutions need three core elements: overall visibility regarding IT operational environments; proper use of use of security tools is also key; and businesses need to follow IT security best practices. Although your firm's IT team is responsible for overall network visibility, you can make a difference in the other two areas.
For example, are you doing work on personal IT equipment? If so, do you keep track of security patches as they appear and install them on a timely basis, as needed? Do you have an antivirus program? Is it up to date?
Better still: the next time to talk to your firm's IT support people, make sure to ask about when they're planning to patch and upgrade key company systems.