Cybersecurity in WannaCry times, and now?
(Rodrigo Fragola talks about the failure of the usual strategies for cyber security based on old dualities, such as physical and virtual risk or internal and external risk)
Security expert cyber Rodrigo Fragola, who is CEO of Aker N-Stalker and Vice President of two IT industry bodies launched a kind of "red alert" at the international congress of cyber security at Gartner, who finished 9th last in Sao Paulo.
In Fragola's view, the security industry is failing to keep up with rapid technological evolution of cybercrime, nor the increased risks caused by the expansion of the "third platform", which is the intersection of cloud computing with interactive digital mobility and the so called "big data".
"Not long ago, the world witnessed the virtual avalanche caused by WannaCry, a type of threat based on basic hacking techniques, but still was able to hijack the big global companies servers.
And this is because cybercrime has deepened the automation of the attacks and employing increasingly better, the use of strategies and reuse of logical devices to fool the defenses, "he says.
According to him, although a failure of Windows will be identified as the primary vector for the success of WannaCry, the attack made clear the existence of a large number of companies still without preventive processes to scan, detect and fix vulnerabilities that allow them to get ahead a massive attack.
"Same the most prepared companies still use risk management concepts structured in very slow practices. This is the case of 'pentests' journals (controlled and attacks carried out by so-called ethical hackers). These practices involving the top of hacker knowledge, but today we can say that are excellent only for compliance purposes, ie, to ensure audit and compliance with regulatory requirements.
But with regard to the security itself, in many cases, these tests work almost like an autopsy, and not as instruments to anticipate and curb the risk, "says Fragola.
He points out that, for nearly 20 years, the security industry has been struggling similarly with problems already well known, as is the case of Zero-Day attacks (exploration and criminal use of backdoor type vulnerabilities).
In general, security technicians can find and map the vulnerabilities, but the window of time to fix the problem ends up becoming, itself, for the most current vulnerability because enables the information vulnerability is exposed and can be explored by a large number of agents.
In the case of WannaCry recalls the executive, there was a window around three months between the discovery of the breach and the mass attack.
Automate testing is the output
Fragola proposes that vulnerabilities and automated test management technologies should be employed both in production environments as the DevOps processes (development and software testing). This practice, he believes, achieves a greater extent in the scan and increased frequency of testing.
"Unlike a PenTest, which is usually limited, slow and expensive, the automated tests are cheaper, can be used on all client assets and can be repeated several times."
In the view of the expert, automatic scans keeps the user constantly informed about the risks, mitigating exposure levels, particularly for the most important assets of the business, and subjecting them to the risk management policy (GRC) company. With this, he argues, can lead to more effective strategies term correction and further reduce the risk window.
"For web applications, we can use the concept of" Virtual Patch "for which we apply a filter in the application protection system and avoid a bug can be exploited before being detected and corrected, decreasing, once again, the window risk.
"In connected and governed by artificial intelligence society, there is no room for excessively slow craft and solutions such as the PenTest" concludes Rodrigo Fragola.