The WannaCry name belongs to the ransomware program that was launched this past Friday that has already infected close to 1/4 million Microsoft Windows systems across 150 countries, with an asking price of $300 in bitcoin to decrypt your files… or $600 if you wait too long.
The ransomware spreads to unpatched Windows systems as a computer worm leveraging the SMB protocol and through phishing emails.
It’s believed that WannaCry leverages the NSA’s EternalBlue exploit, which was publicized by the Shadow Brokers.
Keep your systems updated, keep good backups of your data, and be suspicious of emails you get!
I had a slightly engaging discussion regarding the scoring of impact, with human life being one of the factors. (Think a negative event with the factors being reputation, financial, property, human life as part of the equation)
What value do we place on ourselves when it’s an injury? Or loss of limb? If… and again, this was just a thoughtful discussion… so not to be taken too seriously, a person is missing a limb… are they worth as much? Does that count as a 1 in a chart where likelihood is one loss in x number of years?
Possibly to an employer, but to the person who lost that limb, they probably value their life even more! They probably mean more to their families who may care for them even more than before!
The discussion can be further taken by looking at the probability of a threat to a grouping of people. Horrific, I’m sure. But the same threat to a hospital with disabled people who may be missing limbs… the value of human loss is magnified. At least in the public eye.
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
The agency’s Center for Cyber Intelligence(CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other “weaponized” malware. Such is the scale of the CIA’s undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its “own NSA” with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.
There seemed to be a lack of this mapping everywhere, so here is my contribution and creation for those looking to map the CyberSecurity Framework to ISO 27001 Groups to the NIST 800-53 Control Families.
Quantitative risk analysis is achievable, can be pragmatic, and can actually out-perform qualitative risk analysis in the face of complex issues like intelligent adversaries. Join Jack Jones, the original author of the Factor Analysis of Information Risk (FAIR) framework and (ISC)2 to learn more about FAIR. Jack will highlight both the quantitative use-cases as well as the ways in which FAIR can be leveraged to improve qualitative risk analysis.