At the FDA Cyber Summit in Washington, DC, in January 2016, issues concerning the security of medical devices & patient records were discussed, and several resolutions were passed by key policy experts and attendees/manufacturers. Make no mistake, I’m still of the opinion that the healthcare industry is the most technologically retarded. There are too many well-intentioned yet fragmented efforts in healthcare cybersecurity, and it’s time we brought them together.

Less than seventy-two hours ago, the prestigious UK National Health Service patient records, systems, etc., were compromised. It affected about seventy-five thousand victims and has spread to ninety-nine countries. This is fast becoming a popular trend, and I believe CISOs, C-level executives, and even last-mile employees/end-users should challenge the prevailing narrative by employing the right strategies. Most organisations should focus on addressing vulnerabilities and stop living in denial by asking the IF probabilistic question.

The way we approach vulnerability concerns could shape our organisations’ posture, our customers’ perceptions, and our ability to defend against threats. It’s about time we employ new strategies because the threats of today cannot be remedied by yesterday’s strategies. The standards for vulnerability disclosure (ISO 29147) and vulnerability handling processes (ISO 30111) remain valuable, but seeking innovative methods is the right approach. The Vulnerability Coordination Maturity Model, stirred up by other known maturity models, will assist organisations:

• Appraise their level of preparedness in the event of a breach and act on the vulnerability reports submitted by the Information Systems/Information Security Auditor.
• Gird up a list of activities to heighten their effectiveness in responding to security bug reports in their own software or services.
• Establish guidelines to improve their vulnerability coordination and security over time.

The Vulnerability Coordination Maturity Model, inspired by HackerOne, focuses on five capability areas, namely:

• Organisational: This focuses on the people, processes, and resources that would handle potential vulnerabilities. In the maturity model, there are three levels of capability: Basic, Advanced, and Expert. With the Basic, you have executive support to respond to vulnerability reports and a commitment to security and quality as core organisational values. Advanced focuses on policy and process for addressing vulnerabilities in accordance with ISO 29147, ISO 30111, or other comparable frameworks. Expert-level support underscores that you have executive support, processes, a budget, and dedicated personnel to handle vulnerability reports.
• Engineering: Evidently, to address concerns, you will need an Engineering team that can do the analysis. The team must be able to evaluate and remediate security holes and improve the software development lifecycle. At the Basic level, you should have a clear mechanism for receiving vulnerability reports and an internal bug database to track them through resolution. ISO 29147 would be a good reference point at this instance. At the Advanced level, you must have had a dedicated security bug-tracking system and documentation of security decisions, deferrals, and trade-offs. At the Expert level, the team should have been able to use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. Refer to ISOs 29147, 30111, and 27034 as guides.
• Communications: At this stage, the focus is on communicating vulnerabilities to internal and external audiences. At the Basic level, you will have the ability to receive vulnerability reports and a verifiable channel to distribute advisories to the affected party. At the advanced level, you will have tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. At the Expert level, you will provide structured information-sharing programs with coordinated remediation distribution.
• Analytics: This is where you apply the insights you have gained about vulnerabilities to analyse data, identify trends, and improve processes. At the Basic level, you track the number and severity of vulnerabilities over time to measure improvement in code quality. At the Advanced level, you use root cause analysis to feed back into your software development lifecycle. At the Expert level, you use telemetry and real-time threat detection to drive dynamic pivots in the remediation strategy.
• Incentives: This is an area where you are trying to hit the goal of getting vulnerability researchers to report issues directly. At the Basic level, you give thanks or little gifts like T-Shirts and, most importantly, state in your vulnerability disclosure policy that there wouldn’t be any legal action taken against anyone who reports bugs. At the Advanced Level, you give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. At the Expert level, you should have a detailed understanding of adversary behaviour and vulnerability markets, and structure advanced incentives to disrupt them.

The recent cyberattack was ransomware. It’s a type of malware that, once executed, encrypts all your files and demands the payment of a ransom before they can be decrypted. The Ransomware is known by various names, including WannaCry, WanaCrypt0r, and WCry, and is believed to be among a set of powerful hacking tools stolen from the NSA in August 2016. The attack vectors and their reach are broad, as the spread has reached Europe, Asia, North and South America, and Africa (North & South).

This malware exploits a known Windows vulnerability, bypassing traditional antivirus and firewall protection and granting full administrative privileges over the victim’s computer. The common mode of delivery is via email, and if it is opened in error, it begins encrypting the user’s files. Once that’s done, it locks victims out of their computers and demands a ransom in Bitcoin. As a fundamental rule of thumb, do not open emails from people you don’t know or emails that have an acute sense of urgency. E.g. “Click on this link to avoid losing access to your account”, etc.

If you aren’t infected, please run your Windows update as soon as possible, and if you haven’t downloaded the Microsoft Fix, kindly do so below:

MSU Files X64 http://bit.ly/2rdH9DI

MSU Files X86 http://bit.ly/2pKJzZa

Be safe.