The WannaCry attacks are already producing a dramatic ripple effect. For instance there have been calls for a mandatory requirement to report security vulnerabilities, as well as for greater responsibility on the vendor side. Our expert Maximilian Hoppe discusses the latest buzzwords among IT risks and how they impact Software Asset Management (SAM).
“We need a reporting obligation for security gaps, and it must also include state security authorities.” stated Telekom CEO Timotheus Höttges in reaction to the global WannaCry attacks. He demanded a renouncement of mutual cyber-attacks and cyber-pioneering, like there are international renouncements of certain weapons. This position is also politically represented by the DT Group, for example with a keynote by board member Claudia Nemat at the last meeting of the G20 Digital Ministers in Düsseldorf or the reorientation of the Telekom Security business unit. To dive into the whole development of the discussion would definitely go too far.
Current IT Risks: Everyone Should be Familiar with these Buzzwords
Security vulnerabilities pose an immense risk to the public and private sectors alike. Attacks on hospitals demonstrate this fact as much as the smallest hack on individual PCs in multinational corporations.
The number of potential risks is staggering in this regard. Anyone involved with current IT risks will come across a stack of buzzwords:
Zero Day Exploits
Zero day exploits is one of the terms that has acquired a certain prominence, in recent years especially. It describes a risk that has existed from the software’s very first day without being patched. For instance, this issue became clear on Microsoft’s Patch Day in August 2017 due to a missing update for Server Message Block (SMB). Originally, the issue had become widely known in the wake of the Heartbleed Bug in 2014.
It’s not just Microsoft that has problems with patches. The fact that vendors are not always facing challenges due to same vulnerabilities merely compounds the issue. SAP recently patched 3 vulnerabilities in its CRM system, which were assessed as particularly critical. An attack on these vulnerabilities is truly fatal, given that the database is usually only active in the background and is viewed accordingly, although it contains highly sensitive data. Manipulated queries are used to identify vulnerabilities and locate inadequately filtered parameters on websites.
A distributed denial-of-service attack aims to achieve precisely what its name suggests: to crash a website’s services. This is generally caused by accessing the site from a huge number of computers and performing such an inordinate number of operations that the targeted servers are unable to process them all. The example of security expert and blogger Brian Krebs shows how dramatic the consequences can be. Despite support, his website was brought to its knees under the weight of queries in an estimated range of 600 to 700 gigabits per second. The risk is growing exponentially due to the increasing prevalence of the Internet of Things, as even an Internet-ready fridge can act as a bot.
The human risk is a hot topic in any security seminar. Whether it is executable macros or bad links, individual users can quickly place an entire company network at risk.
What do IT Risks Mean for Software Asset Management?
Software Asset Management (SAM) affects many areas of an enterprise, so it is imperative to keep a close eye on developments. The latest statements by BSI President Schönbohm that greater responsibility should be placed on the manufacturers raise a large number of issues. For instance how the update processes will change in future and in what way companies can adapt to the new scenario.
Microsoft’s Current Branch for Business Model shows the vendors’ preferred path in particular. After all, patch day events are both benefits and curses for them. On the one hand, the systems they offer need to be as secure as possible, but on the other hand they are reluctant to force major users in particular to accept permanent update processes. Last but not least, patch development itself binds internal resources. But proprietary vendors remain responsible for patching known vulnerabilities to avoid becoming liable toward their customers.
How will Vendors Satisfy their Duty to Patch Vulnerabilities?
Mainly by outsourcing. It is already standard practice to remunerate the identification of bugs and vulnerabilities. Microsoft, for instance, recently established a suitable scheme for its most recent operating system Windows 10. The vendors attempt to provide support in other ways as well. Microsoft has released a self-assessment tool for adherence to the European General Data Protection Regulation (GDPR), which is intended to ensure GDPR compliance in the cloud especially.
Prevention Thanks to Software Portfolio Management
Companies need to take the initiative as well by at least ensuring that all security patches released by the software vendors are installed ASAP. But that can only happen if the companies are aware of their status quo: what software is even installed? Which critical patches are missing?
The next step is to decide when tighter restrictions are placed on potentially risky products in regard to their support. By conducting reevaluations more frequently than for standard products? Is it possible to put unsupported software on a blacklist without any further ado, and if so, how will this affect the productive side?