NotPetya seemed to be a pretty rude awakening for some organizations – realizing that vendors and business partners previously thought to be “benign” can be the source of significant risk. This should not be surprising after the Target and Home Depot breaches. The initial distribution mechanism of NotPetya was through auto-updates to business software. We know that NotPetya propagated on a network using a few different tactics. A number of organization were infected with no apparent connection to the original distribution mechanism, meaning that the infection very likely propagated through network connections between organizations.
One of the fundamental challenges we seem to have in cyber security is a lack of imagination – imagination for how attacks can happen. As is the case in some many things, we seem to be stuck fighting yesterday’s problem. After Target and Home Depot, we started interrogating our HVAC vendors pretty hard, presumably DOUBLING or TRIPLING the number of security related questions on our vendor management questionnaires. Possibly the issue here is that each organization needs to learn the lesson for its self and the situation really is improving in aggregate, but I am growing cynical in old age. It seems that we are not hitting the problem head, instead choosing to “accept risks” that we choose not to understand.
Certainly a big headwind is the extreme complexity of IT environments, though I am not sure that means we should just default to “well, we followed ISO27k” (aka. sticking head-in-sand). It seems that a better solution would be to break the problem up into “trust-able components” with a reliable/predictable demarcation, and limiting the trust between systems and networks.
Is there any reason – any at all – that a malicious update some Ukrainian tax software should end up infecting unrelated subsidiaries/parent companies in other countries, or hospitals in the US?
One of the issues I see with such a strategy is that it necessarily causes IT to cost more, almost regardless of how it’s implemented. But without it, we end up with interconnections that criminals, nation-states, and others can leverage for mass destruction. Particularly interesting to me is that the risk decisions of one organization can impact many, many organizations down stream – both from a “cyber contagion” but also from a simple economic perspective, if we consider the effects NotPetya caused on global shipping and WannaCry caused on delivery of health care.