Was your organization lucky in avoiding damage from the latest ransomware threat? Or was it because the organization happens to have a proactive team of information security professionals? Let the board know why they dodged a bullet this time and how they can continue to protect the organization in the future! If your infosec function is like similar functions at other organizations, you either took a “congratulatory lap” for preventing Wannacry ransomware from causing damage to your organization or unfortunately, you are spending time explaining why your organization became a victim. Too often, the information security function only gets “face time” at the Board level when things go bad (assuming you don’t get replaced beforehand). This includes post-incident analysis and worse – the involvement of an outside forensic firm that provides hindsight on simple things you could have fixed and would have had you had the resources. Incidents and forensic examinations have a way of finally getting management to “open the wallet” for risk mitigation investments that were rejected prior to the incident. Using US-CERT Alerts to identify how well information security is functioningBut when things go right – well that is what everyone expected. Recent media attention on the Wannacry incident provides the opportunity for information security managers to demonstrate what they did right and how management decisions (and investments) directly impacted how the organization was able to defeat evolving attacks. To communicate these accomplishments Infosec professionals should assess their performance against an unbiased baseline. But which baseline? Many articles, blogs, news reports and of course consultant white papers promulgate actions that organizations should (or should have taken) to mitigate the Wannacry Threat. “Cherry-picking” publications to show the infosec function in the best light is not an option. A more neutral, reliable and highly respected source is required to facilitate impressions on the Board. And I have found US-CERT alerts to perfectly address these needs.CSOonline readers are probably familiar with US-CERT and their alerts. Per their website, the United State Critical Emergency Response Team, responds to major incidents, analyzes threats, and exchanges critical cybersecurity information with trusted partners around the world. Alerts provide timely information about current security issues, vulnerabilities, and exploits. Usually these alerts represent high risk potential and frequently receive media attention. With eight alerts issued in 2016 and twelve in 2015, the number of alerts are manageable and the ability to communicate how the information security function performed in managing and mitigating the identified threats in Board reports is possible.Leveraging the Wannacry alert to demonstrate a job well done (hopefully!)In response to the Wannacry ransomware threat, US-CERT issued “Alert (TA17-132A) Indicators Associated With WannaCry Ransomware.” Amongst the information provided in the alerts is a section called “Recommended Steps for Prevention.” By reporting how the organizations was (or wasn’t prepared) and why, information security teams can provide a practical reflection of the effectiveness of the current information security program. The “dashboard” format facilitates stakeholder review and reconsideration of issues. It also demonstrates how prior investments enabled the organization to no become a victim of the latest threat. Following is a sample tool to facilitate the discussion. US-CERT Recommended Steps for PreventionWhen Implemented?Primary Reason for Success/FailureRecommended ActionsApply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.Prior to alertMature patch management program.NoneEnable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.Prior to alertPrior year risk assessment recommendation that we implemented.NoneScan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.Prior to alertInvestment in new spa filtering capabilities.NoneEnsure anti-virus and anti-malware solutions are set to automatically conduct regular scans.Prior to alertRenewal of anti-virus and anti-malware solutions.NoneManage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. Exceptions existThe Marketing department uses an application that requires full access for all users.Consider other applications or invest $xx,xxx in implementing compensating technology controls to mitigate the risk.Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. In RemediationSecurity architecture review was not approved during past budgeting cycle.Reconsider cost-effectiveness and priority of performing the security architecture review.Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.Risk Accepted Prior to alert.Based on risk assessment, this particular risk was assumed due to the effectiveness of compensating controls.Reassess during next risk assessment.Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.Not implementedBudget for training not provided for during past 3 years.Approve budget to provide basic employee training on cybersecurity protection.Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.Partially ImplementedIn process of implementing vulnerability management program.Reconsider appropriateness of penetration test after implementation of the program.Test your backups to ensure they work correctly upon use.Prior to alertNew backup and recovery process.None Related content opinion Aligning cybersecurity strategy and performance with updated COSO ERM guidance Recently released COSO-ERM framework provides guidance to enable cyber and information security professionals to communicate risks and threats in language that stakeholders can understand and take action on. By Joel Lanz Sep 25, 2017 5 mins Data and Information Security Risk Management IT Leadership opinion Avoid these 5 IT vendor management worst practices to avoid IT audit trouble Avoiding the worst practices can go a long way toward strengthening an organization’s vendor management program. By Joel Lanz Jun 30, 2017 5 mins Risk Management IT Leadership opinion Information security professionalism requires both credentialing and codes of professional practice It's time for information security practitioners to be recognized as professionals. By Joel Lanz Apr 19, 2017 5 mins CSO and CISO Technology Industry Careers opinion Hey New York - ready for CyberSOX? Ready to sign-off on your organization's compliance with cybersecurity regulations? By Joel Lanz Feb 21, 2017 5 mins Compliance IT Leadership Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe