The attack exploited known vulnerabilities in an older version of Microsoft Windows – vulnerabilities that could have been blotted out with recent patches. Now the widespread attack is exposing “the underinvestment in cybersecurity by many organizations,” Loeb says.
This could be one of the lasting legacies of the WannaCry attack, says Sandor Boyson, research professor and co-director of the Supply Chain Management Center at the Smith School.
“When you don’t do the patching and versioning, you don’t get the full protection and full spectrum of defense against vulnerabilities that companies have become aware of,” says Boyson, who for nearly a decade has advised the National Institute of Standards and Technology on cyber supply chain risk management. “Patching and versioning deficiencies are a big problem.”
Experts say remiss patching helps explain why institutions in China, where pirated software is more prevalent, were harder hit than in some other parts of the world. Chinese state media said the ransomware struck nearly 40,000 institutions in that country, including government agencies, banks, schools and information technology firms.
Loeb and Gordon have spent 18 years warning companies to reconsider the amount of money they devote to cybersecurity issues, increasing allocations in some cases and distributing money more efficiently in others.
“These two concerns lie at the heart of the Gordon-Loeb Model for cybersecurity investments,” Loeb says. The model, developed with research support from the Smith School and the National Security Agency, is explained in this video.
Of course, ransomware, such as the kind deployed by WannaCry, is not new. Attacks like these have been increasing in frequency in recent years. But no attack has spread so widely before. The WannaCry hackers were said to have demanded $300 ransoms from affected users, payable in the bitcoin digital currency. Sums paid worldwide appeared this week to be relatively modest, in the tens of thousands, not the millions or billions. But the ransoms were being paid, raising the spectre other attackers will try the same thing.
“We have seen these kinds of threats mutate into something far less benign,” Boyson says. Sometimes, a hacker decides the single ransomware payment is not sufficient, so they write a code that allows them to attack the computer again, demanding another payment, in what’s called an advanced persistent threat.
“The big problem is we don’t see the incentives in place for a lot of change yet, either at the legislative level, the regulatory level or the legal insurance level,” Boyson says. “We don’t really see a converging set of incentives that would drive behavior.”
But that could change, Boyson says, as attacks like WannaCry gain global attention.
Visit Smith Brain Trust for related content at http://www.rhsmith.umd.edu/faculty-research/smithbraintrust and follow on Twitter @SmithBrainTrust.
About the University of Maryland’s Robert H. Smith School of Business
The Robert H. Smith School of Business is an internationally recognized leader in management education and research. One of 12 colleges and schools at the University of Maryland, College Park, the Smith School offers undergraduate, full-time and part-time MBA, executive MBA, online MBA, specialty masters, PhD and executive education programs, as well as outreach services to the corporate community. The school offers its degree, custom and certification programs in learning locations in North America and Asia.
Contact: Greg Muraski at 301-892-0973 or firstname.lastname@example.org
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/the-wannacry-legacy-how-the-attack-will-shape-cybersecurity-300460038.html
SOURCE University of Maryland’s Robert H. Smith School of Business