The ransomware and wiper malware that affected companies around the world in huge ways should be a watershed moment for all of us in infosec. If we ever needed relevant real world scenarios for upper management / board level conversations... this should be a game changer!

1. AN INFOSEC WATERSHED MOMENT
Rob Ferrill, CISO UAB Health System

2. DEFINITION
wa·ter·shed
/ˈwôdərˌSHed,ˈwädərˌSHed/
1. An event or period marking a turning point in a course of action or state of affairs.
2. Synonyms: turning point, milestone, landmark

3. HIJACKINGS
• What would you surmise the mindset of the pilot / crew / passengers if a plane was
hijacked prior to 9/11?
• How did 9/11 change that mindset?
• What security controls exist today that didn’t exist prior to 9/11? (next slide)
• What priority was this given after 9/11?
• Shortly after the terrorist attack on the United States, President Bush provided twenty
billion dollars for the upgrading of intelligence and security
http://www.ifpo.org/resource-links/articles-and-reports/protection-of-specific-environments/the-evolution-of-airline-security-since-911/

4. WATERSHED MOMENT FOR AIRLINES
• The biggest change was the creation of the TSA just months after 9/11
• Identification requirements: ID must be presented, name must match ticket
• Shoe removal: Most travelers must remove shoes at checkpoints
• Baggage: All baggage whether carry-on and checked must be screened
• Liquid ban: No liquids allowed through security in containers larger than 3.4
ounces
• Special items: Most travelers must remove toiletries and laptops from bags
• Jackets: Most travelers must remove outerwear during screening
• Enhanced pat-downs: This extra screening is sometimes administered
• No welcome committees: Only ticketed travelers are now allowed at airline gate
areas
• Cockpit doors: These have been reinforced and stay locked during flights
https://www.farecompare.com/travel-advice/9-ways-security-has-changed-since-911/

5. INFOSEC WATERSHED EVENTS
International Event
• August 15th, 2012 – Saudi Aramco –
Shamoon malware partially wiped or totally
destroyed the hard drives of 35,000
company computers
Domestic Event
• On November 24th, 2014 – Sony Pictures
Entertainment was breached seemingly by
the GOP (Guardians of Peace) and had over
100 terabytes of data stolen
https://www.darkreading.com/attacks-breaches/inside-the-aftermath-of-the-saudi-aramco-breach/d/d-id/1321676
https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-sony-implemented-36022

6. WHAT ARE THE RECENT THREATS?
WannaCry – May 12th, 2017
• True ransomware propagating using
EternalBlue exploiting MS17-010
• Wannacry crippled computers in at least
150 countries and economic losses are
estimated at $4 billion
• Motive… financial gain?
Companies Affected
• UK’s National Health Service
• US hospitals (undisclosed)
• FedEx
• Nissan
• Renault
• Hitachi
• Russia (banks, telecom, railway, etc.)
• Police in one Indian state
• Universities in China (over 100k pc’s)
• Chinese police

7. ANOTHER RECENT THREAT
NotPetya – June 27th 2017
• Destructive “wiper” malware
• Propagation also using EternalBlue
exploiting MS17-010
• Motive… disruption, maybe nation state
testing the waters?
Companies Affected
• Major healthcare vendor (Nuance)
affected by NotPetya ($30m loss)
• Portion of FedEx affected (Intl shipping)
”may never be recovered” $300m
• Maersk shipping indicated a $200m-$300m
loss
• Merck allegedly had 90,000 machines
affected

8. HOW TO DEFEND?
• If you happen to be in Healthcare… HHS states that ransomware is automatically
considered a breach until proven otherwise; setup a process to engage third
party forensics to analyze and offer a risk assessment of the probability of a
breach
• An incident response plan should be in place to respond quickly with specific
steps to follow in the event of ransomware
• Communicate as quickly as possible when an infection like ransomware occurs
so that appropriate teams can engage and hopefully avoid costly issues
• Patch your systems, verify patching is working through vulnerability scans,
segment your high risk and critical systems off user networks
• Continuous monitoring of network activities, file movements, threat detection
and correlating these events is essential
• Continuous assessment of risk culminating in the remediation or acceptance of
identified vulnerabilities via a plan of action

9. WILL WE EVER LEARN?
• To quote a colleague in the industry… “look at what happened to Home Depot,
Target, TJ Maxx. Everyone still shops there. Maybe they had a temporary dip, but
no permanent damage”
• From a discussion at the 2017 Cyber Summit in Cambridge, Mass last week…
“Nobody will take security seriously until they’re hurt in new ways”.
https://www.cnbc.com/2017/10/09/greylocks-sarah-guo-us-doest-take-data-security-seriously-enough.html

10. Q&A
• Any questions?