HIT Ransomware Attack: Reactive Cybersecurity Strategy Is Not A Strategy
So on Tuesday, 20 June 2017, we woke up to the news that the Harare Institute of Technology had been hacked and all Staff and student data, records, and emails had been encrypted using AES 256. While there is still lots of speculation on whether it was a zero day vulnerability which was exploited or it was an internal issue, this article will concentrate on a critical area in prevention of such attacks in the future.
A friend of mine asked me how an institution which had, a few days before, been training corporates on cybersecurity can get attacked like that. The same institution boasts of training cybersecurity professionals and rumor has it that two or more of its staffers are holders of Masters in Cyber Security, yet it becomes the first institution of higher learning in Zimbabwe to suffer an attack of this magnitude. It is noteworthy that there is no system is absolutely immune to attacks. (Even the US Elections, where allegedly hacked)
So one of the big questions in the minds of many is, what then should organizations do protect their data from the ever increasing pervasive threat vectors? One key pillar is to equip its human resources. But wait a minute, didn’t I just say this University’s cyber security is said to be handled by holders of Masters Degrees, in information security? I am not trying to trivialize the importance of academic qualifications especially the post graduate one, because after all, I am in pursuit of one myself. However, I feel there had been an underestimation of professional certifications on the Zimbabwean job market, especially compared to academic qualification.
As SANS Incident Handler Marcus Sachs stated in a related Internet Storm Center diary post, “we need to start rethinking how we are going to defend our networks in the coming years and decades”. The differences between the training approaches plays a pivotal role in the skills acquisitions process of the holders. It is important to note that while our academic qualifications result from an educational process, technical certifications on the contrary result more from an assessment process which indicates mastery/competency as measured against a defensible set of standards. In other words graduating with bachelors, or master in particular field doesn’t directly translate to mastery in that field especially in our context. I will discuss this view point below.
First of all, most of our academic qualifications that attempt to cover the area of cyber security concentrate on the governance aspects of the cyberspace, without necessary training one on how to do the basic stuff like configuring a firewall. So one might graduate with a first class but if they get to the industry and are given a task to create an access control list on router, for instance, they will be clueless, yet their certificates on the wall speaks highly of them.
I have also personally worked for two training institutions in Zimbabwe and one disappointment has been the rate at which curricula is reviewed especially by Higher Education Examination Council. I was once almost chucked out of a meeting by one regional chair for voicing my concern over teaching learners obsolete stuff. At that time, 2015, we were using a syllabus that was last reviewed in 2004, 11 years old syllabus to be precise. Now the only thing that I would say was still relevant in that course was programming. Now considering the nature and spontaneity of changes in the cyberspace, our academic trainings are often found wanting. On the other hand, professional certification providers frequently update both their training and examination content to cover the latest trends hence learners stay in tune with latest happenings.
More so, most certifications have ongoing requirements in order to maintain them, where qualification holder must demonstrate and continue to meet set requirements. This in a way provides further incentive for holders to keep growing and learning on new technologies. The challenge that zero-days present to information security teams is the gap in detection and identification capability. Therefore an up-to-date techie is better placed to detect or configure devices for detection, than a mere degree holder who graduated 3 years ago.
It is high time that employers and recruiters alike begin to place due regard on a perfect match of academic qualifications and professional security certifications if the occurrence of such attacks is to be minimized or mitigated against. A wise employer would right now be investing a great deal of resources in equipping their CyberSecurity first responder teams with the requisite skills because these threats don’t appear be going away any time soon. If at all, attacks are increasing by the day as evidenced by the recent WannaCry outbreak. Mobile computing and smart phones, for example, have expanded corporate borders beyond safeguards of their perimeter and internal controls yet more malware is being seen targeting these devices.