One year ago the world was rocked by WannaCry, the biggest ever ransomware of its kind, which spread like wildfire around the world infecting hundreds of thousands of computers in over 150 countries within hours. It essentially took Ireland’s Health Service Executive computer systems off the internet for nearly a week, as they worked to patch unpatched systems.
The attack started on the 12th May 2017 and lasted for 48 hours, leaving a trail of destruction behind and with subsequent variants Petya, NotPetya, Nyetya, Goldeneye and Bad Rabbit also affecting thousands of computers even after information on how to avoid them was widely available.
You would suppose that it must have been a very sophisticated attack. Not really. The attack exploited a vulnerability in Windows’ Server Message Block (SMB) protocol. The vulnerability had been discovered by the National Security Agency, which also developed the exploit, but failed to notify Microsoft. Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010 which detailed the flaw and announced that patches had been released for all supported Windows versions.
The attack took place a full two months after the patch was made available, so why were so many machines infected?
The reason is that most organisations have a very poor patch management regime resulting in machines being left vulnerable long after the patch was available. It is also the reason why Conficker was still the most commonly detected malware on business PCs (those connected to an Active Directory domain) in the last quarter of 2014 – six years after its release.
(Conficker was a worm released in 2008 and it caused chaos. It cost one UK authority £1.4m to recover. French fighter planes were grounded and one estimate put the global economic cost of the clear-up at more than $9bn.)
Patch management – will we ever take it seriously?
Perhaps more than anything else, this ransomware onslaught which WannaCry generated was a resounding reminder of the importance of security basics, especially when it comes to Microsoft product patching.
But even now, one year on and after the many high profile incidents and the hundreds of other reported incidents caused by unpatched machines, organisations are still not taking their responsibilities in regard to patching seriously.
This I believe is due to the inherent tension between IT operations and security operations and the fear that patching may cause unforeseen outages. It is also indicative of the blasé attitude towards security in many organisations. If you asked the ex-CIO and ex-CSO of the companies that were affected if they would now take a different approach to patch management, I think you know what the answer would be.
Instead of waiting for the issue to be addressed when a problem occurs, it is important to implement and plan in advance. The key concerns for many companies are in the number of patches and the manpower needed to deploy them.
The benefits of a managed approach to patch management
The most effective approach to patch management is to give the responsibility to a third party with associated Service Level Agreements in conjunction with a comprehensive Vulnerability Management Service (VMS). A good VMS will have full patch deployment as its core objective, but it will also have robust mechanisms for risk mitigation as part of its arsenal against cyber attacks.
As part of our Managed Security Services we offer Vulnerability & Patch Management. This service is managed by an experienced team of analysts based at our Security Operations Centre (SOC) which identifies, classifies and prioritises weaknesses and alerts clients with real-time intelligence on verified vulnerabilities and the best route to remediate and mitigate against them.