The WannaCry ransomware attack infected hundreds of thousands of computers worldwide using vulnerabilities in outdated Microsoft operating systems. It highlighted issues with patching systems and the risks of governments stockpiling software exploits. Cybersecurity experts recommend organizations implement regular system patching, strong access controls, user training, asset management, and monitoring to help prevent future attacks.
1. 56 JULY 2017
WWW.COMPLIANCEWEEK.COM
The crisis of the moment in cyber-space is WannaCry, a nasty
piece of ransomware attacking organizations around the globe.
Those unfortunate enough to be in-
held hostage, only to be returned and unlocked once a speci-
The spotlight on this cyber-threat du jour has sparked
management and the need to break down corporate silos.
Ransomware, an increasing problem for anyone with
-
tacks include e-mails that look legitimate and seem to be
from a known sender, but are engineered to trick the recip-
ient into opening a malignant bit of code. Once loose, it cre-
ates an illicit data pipeline. Malware can also be embedded
onto Websites, waiting for an unsuspecting right click to
open the door.
WannaCry ransomware (also known as WCry and Wan-
na Decryptor) used e-mail to exploit unpatched hazards in
outdated, unpatched Microsoft Windows operating systems,
-
rosoft (which released a patch for the exploit, for newer op-
erating systems, in March) is blaming the National Security
A global hack attack that held organizations’ data hostage for
Bitcoin ransoms
2. raises serious regulatory issues, disclosure debates, and risk
management
concerns. Joe Mont has more on the worldwide cyber-security
event.
{CYBER-SECURITY}
Risk management lessons of
the WannaCry ransomware
WWW.COMPLIANCEWEEK.COM // JULY 2017
// 57
Agency for letting one of its experiments in software subter-
fuge into the wild.
The regulatory perspective
On May 17, amid ongoing waves of the cyber-attacks, the Se-
-
spections and Examinations issued a ransomware alert.
-
amined 75 SEC registered broker-dealers, investment advis-
ers, and investment companies to assess practices associated
» Five percent of broker-dealers and 26 percent of advisers
and funds examined did not conduct periodic risk assess-
ments of critical systems to identify cyber-security threats,
vulnerabilities, and the potential business consequences.
3. » Five percent of broker-dealers and 57 percent of the invest-
-
etration tests and vulnerability scans on systems that the
» While all broker-dealers and 96 percent of investment
regular system maintenance, including the installation of
software patches to address security vulnerabilities, some
that were missing important updates.
Although not related to the latest ransomware attack, the
-
Smith Barney agreed to pay a $1 million penalty to settle
charges related to its failures to protect customer informa-
requires registered broker-dealers, investment companies, and
investment advisers to “adopt written policies and procedures
that address administrative, technical, and physical safeguards
for the protection of customer records and information.”
Is it a breach?
must a ransomware attack be disclosed in accordance with
For healthcare organizations and their business associ-
-
ity Act’s privacy rule there may not be much debate or wiggle
-
ply, according to the Department of Health and Human Ser-
4. and encouraged it to focus on guidance for healthcare provid-
ers to respond to ransomware attacks under the disclosure and
medical record or medical services, the patient needs to know
as quickly as possible,” the congressmen wrote.
-
conducting a risk analysis to identify threats and vulnera-
those persons or software programs requiring access.
need people, a process, and technology.”
Monitoring is the weak link in most organizations, she
measures are useless unless there is a process to make sure
they are being enforced.”
-
“Breaches rarely occur because
of insufficient technology; this
is a governance problem. Many
organizations react by conducting
employee training. Training increases
awareness but has proven ineffective
at changing behavior.”
Steven Minsky, CEO, LogicManager
5. 58 JULY 2017
WWW.COMPLIANCEWEEK.COM
to be assessed to gain transparency into vulnerabilities, but
it is also important to identify, assess, and manage the pro-
fusion of devices that connect to the organization’s network,”
she explains. “Any party or device represents risk, and so ev-
ery one of them must be included in a monitoring program.”
A checklist of advice for IT departments—as suggested by
Austin Berglas, senior managing director at the investiga-
-
gence—includes:
» Patch all Windows systems as soon as possible.
» Filter e-mails with zipped or otherwise obfuscated
attachments.
» Regularly back up systems and keep them separate from
the primary network to provide a reliable back-up option
in case of an infection.
» Closely monitor logs and activate anomaly detection pro-
cesses for user and network behavior. Review and manage
logs and alerts through a central system.
» Develop a software update procedure that calculates the risk
and critical levels, and prioritize critical system updates.
Firms should also raise employee awareness to the danger
of phishing e-mails.
“Human error is often more dangerous than technical
6. failures. Most of the breaches and attacks you hear about
are successful because they are exploiting some kind of hu-
man error,” says Berglas, a former assistant special agent in
charge of the FBI’s Cyber-Branch in New York.
From a technical aspect, the attacks are due to a lack of
patching, he explained. So why, if a patch was released in
“It highlighted the fact that lots of organizations interna-
tionally are using outdated operating systems,” Berglas says.
-
ing, executives and directors should try to understand why
the work was so delayed. “It seems like that would be a rea-
sonable thing to ask,” he suggests. “What people don’t always
understand is how complex and disruptive patching can be.”
If you run a large environment, you are getting lots of up-
-
erating systems. Patching may disrupt existing programs, not
MICROSOFT BLOG POST
The following are excerpts from a blog post, appearing on
Microsoft’s webpage, by President and Chief Legal Officer
Brad Smith.
This attack provides yet another example of why the
stockpiling of vulnerabilities by governments is such
a problem. This is an emerging pattern in 2017. We
have seen vulnerabilities stored by the CIA show up on
7. WikiLeaks, and now this vulnerability stolen from the
NSA has affected customers around the world.
Repeatedly, exploits in the hands of governments have
leaked into the public domain and caused widespread
damage. An equivalent scenario with conventional weap-
ons would be the U.S. military having some of its Tom-
ahawk missiles stolen. And this most recent attack rep-
resents a completely unintended but disconcerting link
between the two most serious forms of cyber-security
threats in the world today – nation-state action and orga-
nized criminal action.
The governments of the world should treat this attack as
a wake-up call. They need to take a different approach
and adhere in cyberspace to the same rules applied to
weapons in the physical world. We need governments to
consider the damage to civilians that comes from hoard-
ing these vulnerabilities and the use of these exploits.
This is one reason we called in February for a new “Digi-
8. tal Geneva Convention” to govern these issues, including
a new requirement for governments to report vulnera-
bilities to vendors, rather than stockpile, sell, or exploit
them. And it’s why we’ve pledged our support for de-
fending every customer everywhere in the face of cy-
berattacks, regardless of their nationality. This weekend,
whether it’s in London, New York, Moscow, Delhi, Sao
Paulo, or Beijing, we’re putting this principle into action
and working with customers around the world.
We should take from this recent attack a renewed de-
termination for more urgent collective action. We need
the tech sector, customers, and governments to work
together to protect against cyber-security attacks. More
action is needed, and it’s needed now. In this sense, the
WannaCrypt attack is a wake-up call for all of us.
Source: Microsoft
WWW.COMPLIANCEWEEK.COM // JULY 2017
// 59
9. at all desirable if all programs are expected to run seamlessly.
updates and restart, especially with 24/7 expectations of
e-commerce, Websites, and data availability. “If you take
losing all that business,” Berglas says.
When you are getting bombarded with updates, how do
-
sets and how they are connected.
“Then it boils down to what the industry calls a layered
approach,” Berglas says. “There is no one silver bullet that is
going to save you from any of these attacks. The CEO, CRO,
general counsel, and board of directors all need to work to-
gether to mandate internal employee training on phishing
and social engineering, and how to protect both the business
and your personal life from these types of attacks.”
“You start with [front-line employees] because it is the
weakest link,” he adds. “They are operating on the end point,
and that is what is going to give the bad guys access into
the corporate environment. Using the layered approach, you
want to make sure individuals inside the company are only
granted the access privileges they need to do their job and
no more.”
-
ing at the senior executive and middle management level.
“There should be tabletop exercises about what would
happen within the organization if this occurs tomorrow,”
-
ness continuity plan to make sure they are integrated across
10. all business lines.”
“It is a board-level decision on how long the business can
operate at 10 or 20 percent capacity after an attack,” he adds.
“Those decisions can only be made with a good continuity
plan in place so you know who is in charge and understand
the current environment and the risks you may undertake.”
Steven Minsky, CEO of LogicManager, an enterprise risk
management provider, has a unique viewpoint on ransom-
ware attacks: they illustrate a governance problem, not a
technology problem.
-
gy; this is a governance problem,” he recently wrote for his
company’s blog. “Many organizations react by conducting
employee training. Training increases awareness but has
-
“Two other important parts of the equation are access
rights and asset management,” he says. “Do all employees
have access to only the applications they need to perform
information documented and included in your company’s
password policy?”
an attack. “IT is centralized silo,” he says. “Let’s not beat them
up because … they don’t actually understand the assets. They
just see servers. They don’t actually see the data on those
are important and which are not.”
“This,” he says, “is the gap that enterprise risk manage-
ment and good governance solves.”
11. -
agement.
“Risk management is not only about identifying prob-
about saying, ‘Oh gosh, I already have 10 top risks I’m work-
ing on. I don’t have time to add an 11th.’ ”
Take the existing risks, he says. Prioritize Break them
down and prioritize them in an objective fashion. Cut the
work down to the most important pieces to do and let risk
management reduce both the workload and and cyber-secu-
rity IT expenses.
Expensive bells whistles, in the form of specialized cy-
ber-technology, are often used by companies as a knee-jerk
response, Minsky suggests.
to poor governance,” Minsky says. “What they need to be
business continuity plan, on the existing procedures, and
actually putting some risk weighting into them, so they
-
■
“Any party or device represents risk, and so every one of them
must be included in
a monitoring program.”
Pamela Passman, CEO, Center for Responsible Enterprise and
Trade
12. Copyright of Compliance Week is the property of Wilmington
Group plc and its content may
not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder's
express written permission. However, users may print,
download, or email articles for
individual use.
56 JULY 2017
WWW.COMPLIANCEWEEK.COM
The crisis of the moment in cyber-space is WannaCry, a nasty
piece of ransomware attacking organizations around the globe.
Those unfortunate enough to be in-
held hostage, only to be returned and unlocked once a speci-
The spotlight on this cyber-threat du jour has sparked
management and the need to break down corporate silos.
Ransomware, an increasing problem for anyone with
-
tacks include e-mails that look legitimate and seem to be
from a known sender, but are engineered to trick the recip-
ient into opening a malignant bit of code. Once loose, it cre-
ates an illicit data pipeline. Malware can also be embedded
onto Websites, waiting for an unsuspecting right click to
open the door.
WannaCry ransomware (also known as WCry and Wan-
na Decryptor) used e-mail to exploit unpatched hazards in
outdated, unpatched Microsoft Windows operating systems,
13. -
rosoft (which released a patch for the exploit, for newer op-
erating systems, in March) is blaming the National Security
A global hack attack that held organizations’ data hostage for
Bitcoin ransoms
raises serious regulatory issues, disclosure debates, and risk
management
concerns. Joe Mont has more on the worldwide cyber-security
event.
{CYBER-SECURITY}
Risk management lessons of
the WannaCry ransomware
WWW.COMPLIANCEWEEK.COM // JULY 2017
// 57
Agency for letting one of its experiments in software subter-
fuge into the wild.
The regulatory perspective
On May 17, amid ongoing waves of the cyber-attacks, the Se-
-
spections and Examinations issued a ransomware alert.
-
amined 75 SEC registered broker-dealers, investment advis-
14. ers, and investment companies to assess practices associated
» Five percent of broker-dealers and 26 percent of advisers
and funds examined did not conduct periodic risk assess-
ments of critical systems to identify cyber-security threats,
vulnerabilities, and the potential business consequences.
» Five percent of broker-dealers and 57 percent of the invest-
-
etration tests and vulnerability scans on systems that the
» While all broker-dealers and 96 percent of investment
regular system maintenance, including the installation of
software patches to address security vulnerabilities, some
that were missing important updates.
Although not related to the latest ransomware attack, the
-
Smith Barney agreed to pay a $1 million penalty to settle
charges related to its failures to protect customer informa-
requires registered broker-dealers, investment companies, and
investment advisers to “adopt written policies and procedures
that address administrative, technical, and physical safeguards
for the protection of customer records and information.”
Is it a breach?
must a ransomware attack be disclosed in accordance with
For healthcare organizations and their business associ-
-
15. ity Act’s privacy rule there may not be much debate or wiggle
-
ply, according to the Department of Health and Human Ser-
and encouraged it to focus on guidance for healthcare provid-
ers to respond to ransomware attacks under the disclosure and
medical record or medical services, the patient needs to know
as quickly as possible,” the congressmen wrote.
-
conducting a risk analysis to identify threats and vulnera-
those persons or software programs requiring access.
need people, a process, and technology.”
Monitoring is the weak link in most organizations, she
measures are useless unless there is a process to make sure
they are being enforced.”
-
“Breaches rarely occur because
of insufficient technology; this
is a governance problem. Many
organizations react by conducting
employee training. Training increases
16. awareness but has proven ineffective
at changing behavior.”
Steven Minsky, CEO, LogicManager
58 JULY 2017
WWW.COMPLIANCEWEEK.COM
to be assessed to gain transparency into vulnerabilities, but
it is also important to identify, assess, and manage the pro-
fusion of devices that connect to the organization’s network,”
she explains. “Any party or device represents risk, and so ev-
ery one of them must be included in a monitoring program.”
A checklist of advice for IT departments—as suggested by
Austin Berglas, senior managing director at the investiga-
-
gence—includes:
» Patch all Windows systems as soon as possible.
» Filter e-mails with zipped or otherwise obfuscated
attachments.
» Regularly back up systems and keep them separate from
the primary network to provide a reliable back-up option
in case of an infection.
» Closely monitor logs and activate anomaly detection pro-
cesses for user and network behavior. Review and manage
logs and alerts through a central system.
17. » Develop a software update procedure that calculates the risk
and critical levels, and prioritize critical system updates.
Firms should also raise employee awareness to the danger
of phishing e-mails.
“Human error is often more dangerous than technical
failures. Most of the breaches and attacks you hear about
are successful because they are exploiting some kind of hu-
man error,” says Berglas, a former assistant special agent in
charge of the FBI’s Cyber-Branch in New York.
From a technical aspect, the attacks are due to a lack of
patching, he explained. So why, if a patch was released in
“It highlighted the fact that lots of organizations interna-
tionally are using outdated operating systems,” Berglas says.
-
ing, executives and directors should try to understand why
the work was so delayed. “It seems like that would be a rea-
sonable thing to ask,” he suggests. “What people don’t always
understand is how complex and disruptive patching can be.”
If you run a large environment, you are getting lots of up-
-
erating systems. Patching may disrupt existing programs, not
MICROSOFT BLOG POST
The following are excerpts from a blog post, appearing on
Microsoft’s webpage, by President and Chief Legal Officer
Brad Smith.
This attack provides yet another example of why the
18. stockpiling of vulnerabilities by governments is such
a problem. This is an emerging pattern in 2017. We
have seen vulnerabilities stored by the CIA show up on
WikiLeaks, and now this vulnerability stolen from the
NSA has affected customers around the world.
Repeatedly, exploits in the hands of governments have
leaked into the public domain and caused widespread
damage. An equivalent scenario with conventional weap-
ons would be the U.S. military having some of its Tom-
ahawk missiles stolen. And this most recent attack rep-
resents a completely unintended but disconcerting link
between the two most serious forms of cyber-security
threats in the world today – nation-state action and orga-
nized criminal action.
The governments of the world should treat this attack as
a wake-up call. They need to take a different approach
and adhere in cyberspace to the same rules applied to
weapons in the physical world. We need governments to
19. consider the damage to civilians that comes from hoard-
ing these vulnerabilities and the use of these exploits.
This is one reason we called in February for a new “Digi-
tal Geneva Convention” to govern these issues, including
a new requirement for governments to report vulnera-
bilities to vendors, rather than stockpile, sell, or exploit
them. And it’s why we’ve pledged our support for de-
fending every customer everywhere in the face of cy-
berattacks, regardless of their nationality. This weekend,
whether it’s in London, New York, Moscow, Delhi, Sao
Paulo, or Beijing, we’re putting this principle into action
and working with customers around the world.
We should take from this recent attack a renewed de-
termination for more urgent collective action. We need
the tech sector, customers, and governments to work
together to protect against cyber-security attacks. More
action is needed, and it’s needed now. In this sense, the
WannaCrypt attack is a wake-up call for all of us.
20. Source: Microsoft
WWW.COMPLIANCEWEEK.COM // JULY 2017
// 59
at all desirable if all programs are expected to run seamlessly.
updates and restart, especially with 24/7 expectations of
e-commerce, Websites, and data availability. “If you take
losing all that business,” Berglas says.
When you are getting bombarded with updates, how do
-
sets and how they are connected.
“Then it boils down to what the industry calls a layered
approach,” Berglas says. “There is no one silver bullet that is
going to save you from any of these attacks. The CEO, CRO,
general counsel, and board of directors all need to work to-
gether to mandate internal employee training on phishing
and social engineering, and how to protect both the business
and your personal life from these types of attacks.”
“You start with [front-line employees] because it is the
weakest link,” he adds. “They are operating on the end point,
and that is what is going to give the bad guys access into
the corporate environment. Using the layered approach, you
want to make sure individuals inside the company are only
granted the access privileges they need to do their job and
no more.”
-
21. ing at the senior executive and middle management level.
“There should be tabletop exercises about what would
happen within the organization if this occurs tomorrow,”
-
ness continuity plan to make sure they are integrated across
all business lines.”
“It is a board-level decision on how long the business can
operate at 10 or 20 percent capacity after an attack,” he adds.
“Those decisions can only be made with a good continuity
plan in place so you know who is in charge and understand
the current environment and the risks you may undertake.”
Steven Minsky, CEO of LogicManager, an enterprise risk
management provider, has a unique viewpoint on ransom-
ware attacks: they illustrate a governance problem, not a
technology problem.
-
gy; this is a governance problem,” he recently wrote for his
company’s blog. “Many organizations react by conducting
employee training. Training increases awareness but has
-
“Two other important parts of the equation are access
rights and asset management,” he says. “Do all employees
have access to only the applications they need to perform
information documented and included in your company’s
password policy?”
an attack. “IT is centralized silo,” he says. “Let’s not beat them
22. up because … they don’t actually understand the assets. They
just see servers. They don’t actually see the data on those
are important and which are not.”
“This,” he says, “is the gap that enterprise risk manage-
ment and good governance solves.”
-
agement.
“Risk management is not only about identifying prob-
about saying, ‘Oh gosh, I already have 10 top risks I’m work-
ing on. I don’t have time to add an 11th.’ ”
Take the existing risks, he says. Prioritize Break them
down and prioritize them in an objective fashion. Cut the
work down to the most important pieces to do and let risk
management reduce both the workload and and cyber-secu-
rity IT expenses.
Expensive bells whistles, in the form of specialized cy-
ber-technology, are often used by companies as a knee-jerk
response, Minsky suggests.
to poor governance,” Minsky says. “What they need to be
business continuity plan, on the existing procedures, and
actually putting some risk weighting into them, so they
-
■
“Any party or device represents risk, and so every one of them
must be included in
23. a monitoring program.”
Pamela Passman, CEO, Center for Responsible Enterprise and
Trade
Copyright of Compliance Week is the property of Wilmington
Group plc and its content may
not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder's
express written permission. However, users may print,
download, or email articles for
individual use.
66 Industrial Engineer
the day We strive for
Work Perfect
I support the development of evaluations for the performance
man-
agement and improvement of academic faculty and staff at
Javeriana
University. This involves factors such as information systems,
best
practices analysis and case studies.
One thing that allows me to do my job is the ability to work in
an
interdisciplinary professional environment, which recognizes
that ev-
eryone has something to contribute. I work for a university that
24. has a
mission to guide students in all the stages in undergraduate and
grad-
uate programs, as well as research and extension programs. My
job has
internal customers that are the key element of the system:
professors
and academic directors.
At Javeriana University, the educational process is based on a
rela-
tionship between professor and student. Professors have an
important
role in that relationship, which helps generate the development
of con-
sulting and extension projects. Javeriana University prepares
people
who can serve the country and the world at large, and I put my 2
cents
in the organization to achieve the strategic objectives. That’s
what gives
me the most satisfaction.
My perfect day begins with the preparation of reports related to
performance management. I use MicroStrategy BI and data
analysis
software such as Minitab. Then, I have meetings with professors
to
design and implement new improvements on projects to speed
up
processes. After lunch, I prepare to submit some policies and
changes
aligned with the last meeting I had with my boss. At the end of
the
workday, I meet with other people from my team to speak on
the prog-
25. ress achieved for the day and prepare ourselves for an
increasingly chal-
lenging day tomorrow.
I want to continue gaining experience in project management
and
process improvement. I’d also plan to prepare myself for
applying to
an MBA program in the U.S. or U.K.
— Interview by David Brandt
Alexander Cardenas Ramos
Project management coordinator -
professorial affairs
Javeriana University
Bogotá, Colombia
resumé
2014 Project management coordinator - professorial affairs,
Javeriana University, Bogotá, Colombia
2013 Entrepreneurship and leadership certificate,
University of Texas-Arlington
2013 Business intelligence consultant, LOGYCA-GS1 Colombia
2013 Joined IIE
2012 M.S., industrial engineering, Javeriana University,
Bogotá, Colombia
2011 Management analyst, Colsubsidio
2011 B.S., industrial engineering, Javeriana University,
Bogotá, Colombia
Copyright of Industrial Engineer: IE is the property of Institute
of Industrial Engineers and its
content may not be copied or emailed to multiple sites or posted
26. to a listserv without the
copyright holder's express written permission. However, users
may print, download, or email
articles for individual use.