CHANNELS

Subscribe to the InfoTech eNewsletter

infoTECH News

TMCNet:  The WannaCry Legacy: How the Attack Will Shape Cybersecurity

[May 18, 2017]

The WannaCry Legacy: How the Attack Will Shape Cybersecurity

COLLEGE PARK, Md., May 18, 2017 /PRNewswire-USNewswire/ --�The WannaCry ransomware that has affected more than 230,000 computers in 150 countries now has largely halted its crawl across the globe, but experts at the University of Maryland's Robert H. Smith School of Business say the attack's real impact might be yet to come. They predict the assault could herald a turning point in cyber intrusions and in the way institutions handle cybersecurity.

"The damages from the attacks could have easily been avoided had the organizations followed well-known precautions � updating operating systems and installing recent security patches," says�Martin Loeb, Deloitte & Touche faculty fellow, professor and chairman of the Department of Accounting and Information Assurance at the Smith School. He co-authored the Gordon-Loeb Model for Cybersecurity Investments with Smith School colleague�Lawrence A. Gordon, EY alumni professor of Managerial Accounting and Information Assurance.�

The attack exploited known vulnerabilities in an older version of Microsoft Windows � vulnerabilities that could have been blotted out with recent patches. Now the widespread attack is exposing "the underinvestment in cybersecurity by many organizations," Loeb says.�

This could be one of the lasting legacies of the WannaCry attack, says�Sandor Boyson, research professor and co-director of the�Supply Chain Management Center�at the Smith School.

"When you don't do the patching and versioning, you don't get the full protection and full spectrum of defense against vulnerabilitis that companies have become aware of," says Boyson, who for nearly a decade has advised the National Institute of Standards and Technology on cyber supply chain risk management. "Patching and versioning deficiencies are a big problem."

Experts say remiss patching helps explain why institutions in China, where pirated software is more prevalent, were harder hit than in some other parts of the world. Chinese state media said the ransomware struck nearly 40,000 institutions in that country, including government agencies, banks, schools and information technology firms.�

Loeb and Gordon have spent 18 years warning companies to reconsider the amount of money they devote to cybersecurity issues, increasing allocations in some cases and distributing money more efficiently in others.

"These two concerns lie at the heart of the Gordon-Loeb Model for cybersecurity investments," Loeb says. The model, developed with research support from the Smith School and the National Security Agency, is explained�in this video.

Of course, ransomware, such as the kind deployed by WannaCry, is not new. Attacks like these have been increasing in frequency in recent years. But no attack has spread so widely before.�The WannaCry hackers were said to have demanded $300 ransoms from affected users, payable in the bitcoin digital currency. Sums paid worldwide appeared this week to be relatively modest, in the tens of thousands, not the millions or billions. But the ransoms were being paid, raising the spectre other attackers will try the same thing.

"We have seen these kinds of threats mutate into something far less benign," Boyson says. Sometimes, a hacker decides the single ransomware payment is not sufficient, so they write a code that allows them to attack the computer again, demanding another payment, in what's called an advanced persistent threat.

"The big problem is we don't see the incentives in place for a lot of change yet, either at the legislative level, the regulatory level or the legal insurance level," Boyson says. "We don't really see a converging set of incentives that would drive behavior."

But that could change, Boyson says, as attacks like WannaCry gain global attention.

Visit Smith Brain Trust for related content at�http://www.rhsmith.umd.edu/faculty-research/smithbraintrust�and follow on Twitter�@SmithBrainTrust.

About the�University of�Maryland's�Robert H. Smith School of Business
The Robert H. Smith School of Business is an internationally recognized leader in management education and research. One of 12 colleges and schools at the�University of�Maryland,�College Park, the Smith School offers undergraduate, full-time and part-time MBA, executive MBA, online MBA, specialty masters, PhD and executive education programs, as well as outreach services to the corporate community. The school offers its degree, custom and certification programs in learning locations in�North America�and�Asia.

Contact:�Greg Muraski�at 301-892-0973 or�gmuraski@rhsmith.umd.edu

To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/the-wannacry-legacy-how-the-attack-will-shape-cybersecurity-300460038.html

SOURCE University of Maryland's Robert H. Smith School of Business


[ InfoTech Spotlight's Homepage ]


blog comments powered by Disqus

FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter