Authorised Software install costs Maersk $300m
At our UK Conference I called for SAM teams to forge strong ties with their colleagues in IT Security and Compliance. My session highlighted how we as SAM managers have much in common in terms of tools and processes with them. We are also seeing former pure-play IT Security vendors such as Qualys entering the SAM world with toolsets aimed at solving the fundamental IT Security challenge – you can’t secure what you don’t know about.
My conference session included an extract from the World Economic Forum earlier this year where Maersk Chairman Jim Hagemann Snabe spoke of the impact of the NotPetya attack on his company. In short;
- Two weeks of manual processing
- Rebuild of entire IT estate
- At least $300m in lost revenue
- Huge impact on global supply chain affecting countless small companies
Wired have recently published a fascinating deep-dive into the Maersk response and it is an excellent primer on the reality of dealing with a cyber-attack.
For us as SAM Managers the frightening reality is this:
Maersk was vulnerable, and suffered all that damage, because of a single installation of a vulnerable application. Hackers compromised the update server for that application, the application auto-updated, and Maersk’s systems were dead in the water within minutes.
One installation, two weeks downtime, at least $300m hit to the bottom line.
But this couldn’t happen to me, could it?
Maersk IT installed the application at the request of an accountant in a local Maersk office in Ukraine. It had probably gone through the usual process for completing such a task – a request raised, ticket allocated, license checked, application catalog updated, and so on. This was commercial software, widely used in Ukraine to file tax returns. Think Quickbooks.
And this is the point – I doubt very much if any software approval process would have seen the risk associated with this application. I don’t know many SAM Managers who would actively manage an application with a single install either.
From a risk perspective however these outliers do need our attention. With the move to continuous application development perhaps we’ve become blasé about the risks of auto-update. In my time in infrastructure operations the mantra was “never install the first version”. Now many teams have KPIs tracking time taken to install an update. To be clear, auto-update is usually a good thing, but make sure you’ve assessed the risk and tested the application before enabling it.
The SAM Manager’s role
Our role as SAM Managers is to ensure that robust software approval processes are in place and that all appropriate stakeholders are engaged. Our remit should probably be limited to the licensing and perhaps financial aspects of the decision to install the software. IT Security should formally provide approval for the application to be installed, where it should be installed, and whether it should auto update. IT Operations should approve the technical aspects – compatibility, capacity requirements, packaging, and so on. The Software Approval Board should collectively classify the risk of installing the software and add it to the Approved Software List.
When a single software installation can do so much damage collective responsibility is important. You really don’t want to be the person who provided sole approval for an install with a $300m price tag.
I’ll be writing more on building relationships with your IT Security and IT Ops teams over the coming year, and will be presenting on this topic at our forthcoming Australian & US Conferences. NotPetya won’t be the last attack of this kind, make sure you’re ready for the next, and grasp the opportunity to build or strengthen these mutually-beneficial relationships.
- Tags: cyber security · IT Security · maersk · Managing risk · Software Approvals
I think in this case the issue was that devices were not patched, rather than any breakdown in the software approvals process. In principle, all software on your estate should be validated by both security and architecture. The reality for large organisations is that this is not practical for software that has only a small footprint. I think there are two key points highlighted in this case.
1 – ensure patching is up to date. Easier said than done on a large scale
2 – run a software catalogue and do not allow exceptions. If 1 user requests a software title not in the catalogue, it is highly probable that an approved application that can perform the same job is already in the catalogue. It should certainly be the case for accounting software
Well, I guess revenge is a dish best served cold. Maersk today led the efforts in conjunction with other major shipping lines to effectively blockade Russia.