We here in the CAT – Law
pressroom occasionally come to have a dispirited world view due to our constant
and laser-like focus on the topic of catastrophes. However, our Magic 8 Ball has been saying “it
is most probable” every time we ask if the recent “WannaCry” ransomware virus
might actually be the dark just before the dawn. So rather than our normal article on a
possible catastrophe, here is our take on a type of cyber catastrophe that is now
more easily prevented.
Last month, hackers attacked
businesses and government entities in 150 countries with a ransomware worm
known as “WannaCry.” These hackers gained access to business and government servers, infecting them
with WannaCry, either by exploiting software vulnerabilities in an older, yet
popular, Windows operating system or through phishing emails designed to trick
users into giving hackers access. Once WannaCry was in, it spread rapidly and
autonomously throughout the system, encrypting the files on the victims’
systems and thus denying the victims access to their own data. The hackers then
demanded a ransom, requiring victims to pay, on average, $300 for the release
of their information.
Although WannaCry is the latest
cyber-attack to make the news, it is by no means the only threat. IBM President
and CEO Ginni Rometty, has described cybercrime as “the greatest threat to every profession, every
industry, every company in the world.” And analysts predict that cybercrime will cost consumers more than $2 trillion globally
by 2019, nearly four times the estimated cost of breaches in 2015.
But massive ransomware attacks
like WannaCry are now more easily prevented.
The cyber-security community has
developed a sophisticated new weapon for battling malware generally, and
ransomware specifically, known as Endpoint Detection and Response (“EDR”). EDR software focuses on protecting each
user device, which are known as endpoints. Endpoints include not only servers
but individual computers and portable devices as well. EDR software uses
artificial intelligence to learn and analyze system activity. So when a virus
attempts to perform a function out of the ordinary, such as encrypting all of
one’s files, it becomes a red flag and the EDR software can act to detect and prevent
it.
Because EDR software focuses on
the behavior of a program, it can detect malware other more traditional virus
protection programs cannot. For example, traditional signature-based virus
detection programs function by blocking malware when the program’s coding—or
signature—reveals that it’s malware. Thus, traditional malware detection
programs can only stop known viruses. But because EDR software focuses on a
program’s behavior, rather than its signature, it’s able to detect
malicious software (including unknown viruses) that affect the function of the
endpoint. In short, EDR software is a more effective, proactive tool against
cyber-attacks.
Entities looking to improve their odds against
cyber-criminals should consider adding EDR software to their arsenal, to
compliment their other weapons against cyber-crime such as ongoing training of
personnel and restricting user privileges. And insurers covering the risk of
loss from cyber-attacks should consider recommending—or even requiring—that
policyholders use EDR software to better prevent or minimize loss from cyber attacks,
thereby lowering their exposure to such losses. The use of EDR software as part
of a diligent cyber-security plan may dramatically reduce the risk of loss from
a number of cyber attacks.
Posted by Thomas Caswell and Justin Evans
