In cyber space, everyone is a next door neighbour, and the physical location of an individual can be difficult to pinpoint. The internet, unfortunately, was never designed with security in mind. It is far too easy to falsify the source of a message – a capability at the heart of many phishing emails that purport to come from your bank but originate with cyber criminals.

The global cyber threat environment has become far more dangerous in recent months. Nation-state intelligence and military agencies have expended substantial resources building tools to gain access to the systems and networks they are targeting. However, the theft and subsequent publication of masses of material from intelligence agencies has resulted in the techniques that were formerly available only to national authorities now being accessible to cyber criminals and terrorist organisations.

These tools are dangerous. The recent spread of the ransomware known as WannaCry (and variants of WannaCry), which encrypted the contents of hundreds of thousands of computers in more than 150 countries, highlights the significant risks. The WannaCry malware used two previously classified vulnerabilities that were released by hackers from the trove of material stolen from intelligence agencies.

Global viruses

In addition, there are other forms of malware that were developed using the same vulnerabilities as WannaCry. One, in particular, causes the targeted computer to join a network of ‘zombie’ computers, dedicated to mining virtual (block chain) currency, resulting in payments being made to the perpetrators of the attack.

These incidents act like global infections, as the malware spreads with speed and a reach similar to a medical pandemic. The Middle East was among the regions affected.

Even before WannaCry, a number of high-profile malware attacks targeted individuals and companies based in or operating in the Middle East. The flame malware was a modular computer malware first identified in 2012, undertaking targeted cyber espionage activities in the region. A similar piece of modular malware, Shamoon, contained a wiper payload and was responsible for destroying 35,000 workstations in Saudi Aramco.

Flame and Shamoon were early major, modular, targeted malware attacks, designed to gather information and disrupt targets. Since then, we have seen an increasing number of successful attacks in the Middle East, targeting industries such as the energy sector.

So why was WannaCry so effective? It turned out that the key vulnerability –called ‘Eternal Blue’ – had been repaired in a security upgrade (a patch) released by Microsoft more than a month before the spread of the malware. But millions of machines either did not apply the security patch, or were running older versions of Windows. Due to the wildfire spread of WannaCry, Microsoft took the extraordinary step of releasing patches for older versions of Windows, going back to Windows XP. Another contributory factor was the use of unlicensed versions of Windows.

Immunising machines

Certainly, there are reasons why organisations may delay the implementation of a security patch. They may be using specialised equipment that could be damaged or rendered unusable by a given patch – a particular concern in industries such as oil and gas, where legacy systems and industrial control systems are expected to run for decades without being changed. There may be a concern that a specific patch could affect the operation of older software. Where these issues exist, there may be a need to run tests and to develop a strategy for limiting access to systems that cannot be updated, and to get the security patches out to the rest of the networks.

Our analysis shows a strong correlation between risk and an organisation’s cyber maturity. There is a global shortage of experienced information security professionals. The Middle East is not immune to this. Some organisations have not focused their cyber security efforts in a qualified chief information security officer (CISO), or formalised the reporting relationship of a CISO. Current thinking is that the CISO needs to be independent of the chief information officer.

Organisations that have achieved a good level of cyber maturity usually have effective cyber security. While no one has absolute immunity to something like WannaCry, an organisation with cyber maturity would probably have a programme to maximise the installation of the patches that would immunise its machines against the many variants of malware regularly encountered.

They would also have an incident response plan prepared, enabling them to react immediately when an incident is suspected. Organisational maturity in terms of cyber security readiness, including planning, regular review (both internal and external), and continual updates, will help companies manage the ever-changing threats.

 

Andrew Beckett (pictured) is the managing director and Alan Brill the senior managing director of cyber security and investigations at Kroll