{"id":7757,"date":"2017-05-25T06:00:17","date_gmt":"2017-05-25T14:00:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/25\/news-1542\/"},"modified":"2017-05-25T06:00:17","modified_gmt":"2017-05-25T14:00:17","slug":"news-1542","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/25\/news-1542\/","title":{"rendered":"WannaCry Highlights Major Security Shortcomings Ahead of GDPR D-Day"},"content":{"rendered":"

Credit to Author: Trend Micro| Date: Thu, 25 May 2017 13:48:37 +0000<\/strong><\/p>\n

\"\"<\/p>\n

For all the panic it caused, WannaCry looks finally to have been contained by organisations round the globe. But this isn\u2019t the time to forget about it and move on. There are valuable lessons to be learned about this attack, why it was so successful and what can be done to prevent it happening again. The unpalatable truth is that many of those organisations caught out by WannaCry earlier this month could face punitive fines if the same kind of thing happens again in a year\u2019s time.<\/p>\n

That\u2019s right: the EU General Data Protection Regulation (GDPR<\/a>) is coming, adding a whole new level of urgency to firms realising they need a major cybersecurity overhaul after WannaCry.<\/p>\n

Data breach or ransomware?<\/strong><\/p>\n

On first look, there might not be anything obvious to link a ransomware attack to forthcoming European data protection laws. After all, those hit by WannaCry had all their data encrypted by attackers rather than stolen. However, a closer look at the GDPR<\/a> tells us different.<\/p>\n

Article 4.12 states:<\/p>\n

\u201cpersonal data breach\u2019 means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.\u201d<\/em><\/p>\n

Customer data was most definitely accessed unlawfully and then lost, or arguably destroyed, once encrypted by the WannaCry hackers.<\/p>\n

Similarly, Article 5.1 has this:<\/p>\n

\u201cPersonal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (\u2018integrity and confidentiality\u2019).\u201d<\/em><\/p>\n

What\u2019s more, Article 32 states that data controllers or processors should take account of \u201cthe state of the art\u201d to \u201cimplement appropriate technical and organisational measures to ensure a level of security appropriate to the risk\u201d.<\/p>\n

It adds:<\/p>\n

\u201cIn assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.\u201d<\/em><\/p>\n

WannaCry was preventable<\/strong><\/p>\n

How did organisations get hit by WannaCry? By failing to patch a known Windows SMB vulnerability (CVE-\u200e2017-0144). This allowed attackers to drop a ransomware file on the affected system, and encrypt corporate files with 176 extensions, including those used by Microsoft Office, databases, file archives, multimedia files, and various programming languages. Of course, among these files was the all-important customer data set to be regulated by the GDPR.<\/p>\n

So what would this mean in the eyes of the regulators? First, that any firms handling customer data which were hit by WannaCry would have potentially been guilty of allowing \u201cunauthorised or unlawful processing\u201d of this regulated data. They also technically suffered a personal data breach, despite no data being stolen, by virtue of that data being lost or de facto<\/em> destroyed in the ransomware attack.<\/p>\n

More damning still, because an official Microsoft patch was available for weeks before the attack, the victim organisations could be said to have failed to take adequate security measures given the evident risks. Even virtual patching technologies exist to protect unpatched or unsupported systems.<\/p>\n

Getting security right<\/strong><\/p>\n

Scores of NHS Trusts and countless other organisations were caught out by WannaCry. But if it had happened just over a year later, they could have been on the hook for non-compliance with GDPR principles. Those fines reach 4 percent of global annual turnover or \u20ac20m at the top end. They\u2019d also have been forced to notify the ICO within 72-hours of a data breach, which in itself could cause a bigger fallout in terms of negative publicity and associated costs.<\/p>\n

This month marks one year until GDPR’s implementation and the message is simple: best practice security protected organisations against WannaCry and it will help protect them against GDPR fall-out after May 25, 2018.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Trend Micro| Date: Thu, 25 May 2017 13:48:37 +0000<\/strong><\/p>\n

\"\"For all the panic it caused, WannaCry looks finally to have been contained by organisations round the globe. But this isn\u2019t the time to forget about it and move on. There are valuable lessons to be learned about this attack, why it was so successful and what can be done to prevent it happening again….<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[3765,714],"class_list":["post-7757","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-ransomware","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7757"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7757\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7757"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}