On March 7, 2017, the self-described “not-for-profit media organization” and whistleblowing website WikiLeaks began releasing the Vault 7 series of documents, which allegedly contain details about activities and capabilities of the CIA to conduct electronic surveillance and cyber attacks dating from 2013-2016.
WikiLeaks claims that Vault 7 includes cyber weapons, surveillance exploits, hand-crafted malware and some ominous zero-day attacks—including the ability to hack smart TVs, cars, smartphones and web browsers.
WikiLeaks further claims that what has been distributed so far is “only 1%” of the total archive. The rest is due to be released publicly at a later date (if ever), and has already been shared with Apple, Microsoft, Google, the Linux Foundation and other tech companies so that vulnerabilities can be patched.
WikiLeaks founder Julian Assange has stated that he would not release information that would put the public at risk. Nevertheless, the existence and the content of the Vault 7 archive is of great concern, particularly if it provides fuel for cyber criminals and cyber terrorists to threaten organizations, nations and/or individuals.
The hype associated with the documents has been spectacular, touting concerns about hackers wiping millions of phones, destroying servers at will and causing vehicle collisions. But what should businesses actually be concerned about, and how should they respond?
How Should Businesses Respond to the WikiLeaks Vault 7 Dump?
The short answer is simple and not very glamorous: patch your software. Many of the vulnerabilities that Vault 7 is said to illuminate are in outdated software versions and have been (or soon will be) patched in the latest versions.
Many of the other hacks described thus far, such as turning smart TVs into listening posts, would be incredibly difficult to pull off in actuality, and/or require physical access to the target device. The small percentage of organizations whose risk profile includes the potential for attack by nation-state actors or highly sophisticated cyber criminals are undoubtedly following these events closely.
If you’re unsure about your organization’s risk profile and/or want to find out more about protecting your data and systems from sophisticated attacks, contact Pivot Point Security.
For more information:
- Wired’s latest news on Vault 7
- Tech company responses to Vault 7
- A “what you need to know” piece from techradar.com