Tenable Blog

I’ve been in IT for the last 16 years, nearly two of which have been in cybersecurity. I was recently given public platforms to discuss my views on diversity in the industry. The crazy part is how close I came to never actually having a career in tech.

The first opportunity came following my recognition as Minority Practitioner of the Year by the International Consortium of Minority Cybersecurity Professionals (ICMCP). And most recently, I joined over 100 women at the Executive Women’s Forum (EWF) Cybersecurity Women on Capitol Hill.

The White House called for a 30-day sprint in response to the devastating data breach at the Office of Personnel Management (OPM), discovered in April 2015. The immediate goal was to bring agencies’ cybersecurity up to an acceptable level.

CISOs often ask “How vulnerable are we?” when presented with vulnerability metrics and reports. As the head of a security team, are you prepared to answer that question? The answer to that question often lies in the relationship between vulnerability and exploitability. All exploitable vulnerabilities are, of course, vulnerabilities. But when a vulnerability isn’t marked “exploitable,” what does that mean? The most accurate answer would be that an exploitation hasn’t been discovered yet, but the vulnerability still has the potential to be exploited.

We’ve seen several critical vulnerabilities lately. First there was WannaCry, and then WannaCry 2.0 (EternalRocks), and now do we have WannaCry 3.0? Well, not really.

A new network worm dubbed EternalRocks is making the news this week as the successor to the WannaCry ransomware. EternalRocks leverages some of the same vulnerabilities and exploit tools as WannaCry but is potentially more dangerous because it exploits seven NSA tools that were released as part of the ShadowBrokers dump for infection instead of two used by WannaCry. So EternalRocks has the potential to spread faster and infect more systems.