This blog brings into question the hype surrounding the recent WannaCry virus and explains why IT executives and business leaders should not be up in arms over this new threat.
I want Independence! A Patch Tea Party! No patchation without reprevaluation!
Worms like Wannacry have been a problem that has existed since the ’88 Morris worm.
While it seems like a big problem; actually, it is a fringe event (yes, even though there are some high-profile cases). Let’s be clear: Good, smart people are trying their best to make the best decisions they can, given the complexity of the systems they manage, the scarcity of resources they have, and the relentless challenges they face. The victims are not to blame, software vendors are not to blame, the government is not to blame. The attacker(s) is/are to blame.
And the blame game doesn’t help anyway.
I have been in the security field since 1993 (and arguably the 5 years in the USMC before that when I was dealing with Michelangelo and Stoned virii). I get that we should “do the basics.” In fact, EVERYONE gets it. I’ve also been the person auditing 100’s of enterprises and responsible for the patch program at a major 20k employee pharmaceutical company, and I know “the basics” are impossible to actually accomplish at a 100% level of perfection. (I know many of you have been there, too.)
What we need with Wannacry is not advice to “just do the basics” but advice on how to change the game so that we don’t get locked into this exercise in insanity. It’s NOT about patching anymore, it’s about PATCH INDEPENDENCE! We MUST fight our way out of the wet paper bag notion that is the patch process and really define a security program that is resilient not only to last week’s worm and assorted malware, but next week’s, next month’s, next year’s. This means looking hard at distributed integrity, application control, microvirtualization, deception, isolation, and any number of approaches that are PATCH AGNOSTIC.
And so I continue my quest to find the optimal mix of resource allocation to address the risk – the Risk Reduced per Unit Cost. I continue to look for the measured approach to minor outbreaks getting major attention like this incident (yes, really). I continue to look for insight into the security problem that is differentiated and useful, so we can build a practice based on economics, data, and evidence with an acceptance that bad things will happen but we can manage those bad things appropriately to meet the needs of the most digitally transformative organizations.
We need nuanced analysis of the potential for legal and regulatory action that is smart and includes INTELLIGENT ADVERSARIES as a key ingredient, not those tired cliché-ridden laments about car safety. We need real solutions that scale and satisfy the risk aversion interests of our most progressive enterprise clients, which are also the most progressive companies in the world.
Whew! That was a load off! (and perhaps a load of…? ;-))… Seriously, thanks for giving me the opportunity to get that off my chest. I hope a few of you may consider it a call to action – I’m all ears if you do.
Think about it.
If you'd like to learn more about IDC's take on the WannaCry virus, click here.