• United States




Wannacry or Wannabrag? Educating the board on why

May 24, 20175 mins
CybercrimeIT LeadershipIT Skills

Was your organization lucky in avoiding damage from the latest ransomware threat? Or was it because the organization happens to have a proactive team of information security professionals? Let the board know why they dodged a bullet this time and how they can continue to protect the organization in the future!

If your infosec function is like similar functions at other organizations, you either took a “congratulatory lap” for preventing Wannacry ransomware from causing damage to your organization or unfortunately, you are spending time explaining why your organization became a victim. Too often, the information security function only gets “face time” at the Board level when things go bad (assuming you don’t get replaced beforehand). This includes post-incident analysis and worse – the involvement of an outside forensic firm that provides hindsight on simple things you could have fixed and would have had you had the resources. Incidents and forensic examinations have a way of finally getting management to “open the wallet” for risk mitigation investments that were rejected prior to the incident. 

Using US-CERT Alerts to identify how well information security is functioning

But when things go right – well that is what everyone expected. Recent media attention on the Wannacry incident provides the opportunity for information security managers to demonstrate what they did right and how management decisions (and investments) directly impacted how the organization was able to defeat evolving attacks. To communicate these accomplishments Infosec professionals should assess their performance against an unbiased baseline. But which baseline? Many articles, blogs, news reports and of course consultant white papers promulgate actions that organizations should (or should have taken) to mitigate the Wannacry Threat. “Cherry-picking” publications to show the infosec function in the best light is not an option. A more neutral, reliable and highly respected source is required to facilitate impressions on the Board. And I have found US-CERT alerts to perfectly address these needs.

CSOonline readers are probably familiar with US-CERT and their alerts. Per their website, the United State Critical Emergency Response Team, responds to major incidents, analyzes threats, and exchanges critical cybersecurity information with trusted partners around the world. Alerts provide timely information about current security issues, vulnerabilities, and exploits. Usually these alerts represent high risk potential and frequently receive media attention. With eight alerts issued in 2016 and twelve in 2015, the number of alerts are manageable and the ability to communicate how the information security function performed in managing and mitigating the identified threats in Board reports is possible.

Leveraging the Wannacry alert to demonstrate a job well done (hopefully!)

In response to the Wannacry ransomware threat, US-CERT issued “Alert (TA17-132A) Indicators Associated With WannaCry Ransomware.” Amongst the information provided in the alerts is a section called “Recommended Steps for Prevention.” By reporting how the organizations was (or wasn’t prepared) and why, information security teams can provide a practical reflection of the effectiveness of the current information security program. The “dashboard” format facilitates stakeholder review and reconsideration of issues. It also demonstrates how prior investments enabled the organization to no become a victim of the latest threat. Following is a sample tool to facilitate the discussion.

US-CERT Recommended Steps for Prevention

When Implemented?

Primary Reason for Success/Failure

Recommended Actions

Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.

Prior to alert

Mature patch management program.


Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.

Prior to alert

Prior year risk assessment recommendation that we implemented.


Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.

Prior to alert

Investment in new spa filtering capabilities.


Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.

Prior to alert

Renewal of anti-virus and anti-malware solutions.


Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 

Exceptions exist

The Marketing department uses an application that requires full access for all users.

Consider other applications or invest $xx,xxx in implementing compensating technology controls to mitigate the risk.

Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 

In Remediation

Security architecture review was not approved during past budgeting cycle.

Reconsider cost-effectiveness and priority of performing the security architecture review.

Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.

Risk Accepted Prior to alert.

Based on risk assessment, this particular risk was assumed due to the effectiveness of compensating controls.

Reassess during next risk assessment.

Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.

Not implemented

Budget for training not provided for during past 3 years.

Approve budget to provide basic employee training on cybersecurity protection.

Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.

Partially Implemented

In process of implementing vulnerability management program.

Reconsider appropriateness of penetration test after implementation of the program.

Test your backups to ensure they work correctly upon use.

Prior to alert

New backup and recovery process.



Joel Lanz is the founder and principal of Joel Lanz, CPA, P.C., a niche CPA practice focusing on information and technology governance, risk, compliance and auditing. Prior to starting his practice in 2001, Joel was a technology risk consulting partner at Arthur Andersen (1995-2001) and a manager at Price Waterhouse (1986-1991). He currently serves as a reference member of the American Cancer Society's audit committee. His industry experience includes a job as vice president and audit manager at The Chase Manhattan Bank (1991-1995) and senior IT auditor positions at two insurance companies (1981-1986).

Joel currently chairs the AICPA’s Information Management and Technology Assurance Executive Committee and previously chaired the AICPA's CITP credential committee (IT specialist certification for CPAs) and co-chaired the AICPA’s Top Technology Initiatives Task Force. Joel's prior contributions to professional organizations include serving as chairman of the New York State Society of CPAs Technology Assurance and Information Technology Committees.

Joel is a member of the editorial board of The CPA Journal. He frequently speaks at professional society and industry conferences, including the AICPA, NYSSCPA and IIA, and he is an adjunct professor at New York University’s Stern School of Business and at the State University of New York's College at Old Westbury.

Joel holds a BBA in accounting and an MBA with a focus on information systems from Pace University's Lubin School of Business Administration.

The opinions expressed in this blog are those of Joel Lanz and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.