WannaCry Ransomware Attack

Ethical hacking is the controversial act of detecting the gaps or locating the weakness and vulnerabilities of the information or computer system by duplicating the actions of a malicious hacker along with the duplication of the intents of the malicious hackers. This type of hacking is also known as penetration testing, intrusion testing or red teaming (Engebretson 2013). The professionals associated with this type of hacking are known as ethical hackers or white hat hackers and they mainly aim at identifying the information, location or system which can be accessed by the hacker, what the attacker is able to see in the target, what are the things that the attacker can do with the information and if anyone in the target system is able to notice the attempt of hacking or not (Pike 2013).

The report mainly aims at discussing the various aspects of Ethical hacking along with discussing an incident which has taken place and involves the use of an appropriate software or hardware in the real or virtual computing environment. This report also evaluates the effect that will occur due to the replacement of the UK data protection act by the General Data Protection Regulation. All the major effects are discussed in this report. The incident of hacking that will be discussed in this report is the “WannaCry Ransomware” attack of May 2017.

WannaCry Ransomware was a cyber-attack which was conducted on a large scale which targeted only the computers which were having a Microsoft windows operating system. At the initial stage it was considered at the infection occurred through an exposed vulnerable SMB port rather than the email phishing (Scaife et al. 2016). However, the main reason for the WannaCry Ransomware was email phishing. The attack mainly encrypted all the files in the computer and for the purpose of removing the encryption the attacker asked for a payment of around $300 in bitcoins within a certain deadline. The attack had a vast impact over a number of businesses, institutions and hospitals all around the world (Pathak and Nanded 2016). This attack also affected companies like Renault and Nissan and they had to pause their business activities for some time. The computers in the hospital used for MRI scans and many more were also affected. The Government was blamed for the inability of securing the vulnerabilities. It was estimated that around 200,000 to 300,000 systems in approximately 150 countries were affected.

Reasons Behind the Success of WannaCry Attack

There are several reasons behind the success of this attack some of them are listed below:

1. The main victims of this attack were the users of windows 8 and XP as the last released update of the XP was on April 2014 and many of the users also did not installed the updates of the March 2017.
2. The versions of this windows were not supported by Microsoft but despite of this an emergency update was released by Microsoft so as to fight this attack.
3. Many users were using an unlicensed version of the windows software which made them vulnerable to this attack (Brewer 2016).
4. The tools that were used for this attack were stolen from the US security agency NSA, which was associated with the stockpiling of a number of vulnerabilities around the operating system of Windows, OS of Mac and many more.
5. Number of vulnerabilities in the windows known as the EternalBlue was exploited by this attack.

The attacker asked for payment by means of bitcoins but there were no such records regarding the decryption of the attacked computers even after making the payments. Two major solutions for this attack are listed below:

1. The “Kill Switch” for this attack was accidentally discover by “Marcus Hutchins” when he was trying to establish the size of this attack. This “Kill Switch” was coded in the malware itself. A domain name was registered by him for the DNS sinkhole. This registration ultimately resulted in stopping the spread of this virus like a worm, along with drastically slowing down the spread of this virus which ultimately provided the time for coming up with certain measures for defence (Hampton and Baig 2015).
2. Another solution for the WannaCry Ransomware attack was the “WannaKey” which was created by “Adrian Guinet” and this mainly based upon the flaws of WannaCry. Adrian also informed that this would only work if the user reboots the infected computer or if the decryption key is overwritten by the malware (Richardson and North 2017).

There are various advantages of GDPR than the UK data protection act. Some of them are listed below:

UK Data Protection Act	General Data Protection Regulation
This act is applicable only for UK.	Applicable for whole of EU along with any other globally based company which is responsible for holding data of the EU citizen.
There is no need of having dedicated DPO for any business.	For some countries it is mandatory to have a DPO or for those companies which are having an employee count of more than 250.
Organisations are not required to remove all the information of an individual that they are holding.	For GDPR an individual is having the “Right to Erasure” that all the records having the information gets deleted permanently which might also include the web records.
Stores personal data and sensitive personal data.	Besides personal and sensitive personal data it also includes the online identifiers, data of the location and genetic data.
It is not mandatory for most of the organisations to notify during any type of breach.	It is mandatory for the organisations to notify at times of any kind of breach within 72 hours.
Individuals having a material damage are liable for claiming compensation.	Persons can claim for compensation for both material as well as non-material damage.

GDRP stands for general data protection regulations is nothing but a set of rules which is generally designed in such that it can give more control over data. Breach of data can happen at any instant of time. Information can easily get lost stolen or modified at any instant of time. On the contrary under GDRP, organization not only will secure the personal data which is gathered under legal and strict condition (Tankard 2016). GDRP is applied to any organization which is operating under the EU along with many organization operating which is tending to operate outside of EU and also claims to provide goods or services to various kinds of business which are under EU. It ultimately focuses on the fact that various organization round the globe will need to be ready when GDRP comes into action.

UK data protection act is focusing on to set some strategy which will fit into UK data act so that it can easily fit into the digital age. One of the well-known components for the reformation is the introduction of General data protection regulation. GDPR is future is focusing to maintain legal procedure for maintenance of records of personal data (Mansfield-Devine 2017). Various controllers round the globe are focusing on providing contracts which are within the compliance with GDPR.  

Conclusions 

Ethical hacking is considered to be a legal way of securing the systems. The ethical hackers are given the permission to get into the system and find out the flaws and the weak points of the system. This will greatly help any organisation to protect their vital data as well as those data which are prone to attacks. The implication of GDPR or General Data Protection Regulation will greatly help in the protection of the data. GDPR can be applied in whole of EU along with on any other global company which is responsible for holding data of the EU citizen. For GDPR it is mandatory to provide the information regarding any type of breach within 72 hours. Individuals can claim for compensation whenever they suffer from material or non-material damage.

References

Brewer, R., 2016. Ransomware attacks: detection, prevention and cure. Network Security, 2016(9), pp.5-9.

Engebretson, P., 2013. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Elsevier.

Hampton, N. and Baig, Z.A., 2015. Ransomware: Emergence of the cyber-extortion menace.

Mansfield-Devine, S., 2017. Hiring ethical hackers: the search for the right kinds of skills. Computer Fraud & Security, 2017(2), pp.15-20.

Pathak, D.P. and Nanded, Y.M., 2016. A dangerous trend of cybercrime: ransomware growing challenge. International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Volume, 5.

Pike, R.E., 2013. The “ethics” of teaching ethical hacking. Journal of International Technology and Information Management, 22(4), p.4.

Richardson, R. and North, M., 2017. Ransomware: Evolution, mitigation and prevention. International Management Review, 13(1), p.10.

Scaife, N., Carter, H., Traynor, P. and Butler, K.R., 2016, June. Cryptolock (and drop it): stopping ransomware attacks on user data. In Distributed Computing Systems (ICDCS), 2016 IEEE 36th International Conference on (pp. 303-312). IEEE.

Tankard, C., 2016. What the GDPR means for businesses. Network Security, 2016(6), pp.5-8.