On positive impact of ransomware on information security

I truly hate I need to write this. And I feel really sorry for those who were forced to learn it the hard way, but don't tell me you haven't been warned in advance years before. However.


— The end of compliance-driven security is now official. Petya is not impressed with your ISO27K certificate. Nor does it give a flying fsck about your recent audit performed by a Big4 company.
— Make prevention great again (in detection dominated world we live in now)! Too busy playing with your all-new AI-driven deep learning UEBA box? Ooops, your homework goes first. Get patched, enable smb signing, check your account privileges and do other boring stuff and then you may play.

Did I say BCP and business process maturity? Forget that, I was kidding, hahaha. That's for grown-ups.

Any sales pitch mentioning WannaCry is a scam.

snake oil
To suffer a significant damage from WannaCry, you need to craft a redundant clusterfuck of FIVE SIMULTANEOUSLY MET conditions:

  1. Failure to learn from previous cases (remember Cornflicker? It was pretty much similar thing)
  2. Workflow process failure (why do you need those file shares at all?)
  3. Basic business continuity management process failure (where are your backups?)
  4. Patch management process failure (to miss an almost two month old critical patch?)
  5. Basic threat intelligence and situational awareness failure (not like in «use a fancy IPS with IoC feed and dashboard with world map on it», more like «read several top security-related articles in non-technical media at least weekly»)

And after you won the bingo, you expect you can BUY something that will defeat such an ultimate ability to screw up? Duh.

I still fail to understand why ransomware is such a big deal



I've seen a lot of companies where it is not — not necessary big corporations with huge IT staff. There is just no reason to have anything of significant value on a workstation (and quite a few reasons to have it on a file share) and it is not a huge complication to live without it.

I'd be more worried about the fact that if you've got ransomware (or any malware at all) it means you have been compromised. And you are just lucky that the attacker was not sophisticated enough to get any other advantage of the situation (in a way that would be even more harmful to you), maintaining covert access for indefinite amount of time and silently ruining your business the way you wouldn't even be able to identify before it's too late.

So it is not about desktop backups, or antivirus, or advanced anti-APT self-guided silver bullets. It is about you.