SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
WannaCry shines spotlight on data privacy and compliance regulations
Thu, 25th May 2017
FYI, this story is more than a year old

Businesses with compliance regulations, data privacy laws and security mandates often admit that these responsibilities can add considerable cycles to their business-as-usual functions. Yet in the wake of the WannaCry/WannaCrypt outbreak, businesses following a comprehensive or mature regulatory data-security policy may be thinking differently.

A ransomware attack such as WannaCry aims to take data or systems hostage. When ransomed endpoints are also governed by data privacy and security mandates, the victim can face multiple consequences associated with the infringement of data or systems. They may be held accountable for the protection of that data under one of many data privacy policies.

In the case of a ransomware attack, the liability and consequences to victims can often stretch far beyond the results of lost data. There have been accounts where critical data has been held hostage, copied, or stolen during an attack and the data custodians faced addition substantial penalties.

However, the implications of increased accountability brought on by data security regulations have an upside for businesses facing exploits such as WannaCry. A company following a comprehensive data security mandate or security program will most often be better prepared to deal with such exploits. They are often already employing many of the common security controls necessary to ensure compliance with their regulatory responsibilities for keeping data safe.

These businesses must be ready to prove, under audit, that the controls protecting their data are in place, functional and auditable. They must be able to inspect the strength and effectiveness of their data security controls at all times.

Numerous data security and regulatory baselines throughout the globe can help to illustrate the blueprint for data security implementation. Most, if not all, have sections that help businesses to close data security gaps often found within the enterprise.

Common sections that deal explicitly with mitigating security vulnerabilities that can lead to a successful attack (such as the vulnerability exploited by WannaCry), will almost always be included. There are many great baselines and standards to choose from that cover a multitude of industry segments.

The NIST Cybersecurity Framework and the NIST 800-53, both contain sections that help to identify and mitigate security vulnerabilities. The Australian Signals Directorate Essential Eight and 35 mitigating strategies also apply considerable emphasis on ensuring priority patching to all operating systems.  Patching makes up a large share of the essential steps in mitigating strategies.

Finally, the PCI DSS (Payment Card Industry Data Security Standard) has specific requirements dedicated directly to mitigating operating system and application vulnerabilities from the scope of the enterprise. Requirements 6.1 and 6.2 of PCI DSS place importance on categorising, prioritising and patching security vulnerabilities across in-scope assets.

More importantly, it also requires the implementation of compensating controls when the original control cannot be applied - an alternate security control that takes the place of protecting the in-scope asset when the original control cannot be applied for business or technical reasons.

When security patches can no longer be acquired for an asset, it may become vulnerable to exploit if no other measure is applied.  In the case of WannaCry, some exploits targeted a vulnerability on the Windows family that was no longer supported.

All these frameworks and standards follow a common path when implementing data security. They tend to focus implementation maturity on the phases aligned with a standard attack - sometimes referred to as the cyber kill chain.

Carbon Black uses that same set of steps to help organisations measure the posture of their data security controls.  Our security framework is positioned to offer both exceptional security protection as well as auditable proof of continuous compliance regarding the data controls that must be inspected.

Step 1. Confirm your assets.  Ensure that you understand the full scope of your system assets, which ones are subject to your data policy and which assets could contain critical data. Understand what it is you need to protect and how that asset and its data may be changing. There are solutions to provide clarity on your endpoint assets in order that you may determine how you will protect them.

Step 2. Protect data integrity.  Now you know what you have and where it is, ensure that you know what mechanisms to put in place to protect the integrity of that data. Advanced data security solutions will help you to understand and control change, and adhere to how change should be occurring to your critical data.

Step 3. Monitor infrastructure against your policy.  By defining the policy to measure data security, you will be better prepared to eliminate the noise often associated with the modern enterprise. Selected data security solutions' policy adherence, monitoring and event prioritisation will help to collect and measure events and make decisions on actionable intelligence.

Step 4.  Mitigate threats.  With an organised and smaller subset of scope, businesses can now focus on implementing threat protection, detection and remediation.  Leading solutions will provide compensating controls and security-in-depth via application control when original controls are unavailable (i.e. no security patches available for unsupported OS or applications).

Step 5.  Prove enforcement of compliance and security policy. This is the step most often missed. A data security policy works only work if you can prove that you are applying the controls. Policy enforcement and regulatory data is standard intelligence required to ensure you are up to the challenge of protecting assets against attacks such as WannaCry. Unless you can prove that your security controls are active and effective, then you can never be too sure of the outcome in the event of an attack.

By taking these small steps to incorporate data security regulatory policies with security mechanisms, hopefully businesses will be in a better position when dealing with the next wave of exploits - and be able to eliminate the threats altogether.

These measures help us to deal with current threats as well as future ones, and move from a reactive stance to a proactive stance, aligned with a data-security policy or regulation that will help us stop the attack before it even has a chance to happen.