One year ago this past weekend the world was rocked by WannaCry, the biggest ever ransomware of its kind, which spread like wildfire around the world infecting hundreds of thousands of computers in over 150 countries within hours, encrypting data and demanding ransom to be paid via bitcoin. It essentially took Ireland’s Health Service Executive computer systems off the internet for nearly a week, as they worked to patch unpatched systems.
The attack started on the 12th of May 2017 and lasted for a 48 hours span, leaving a trail of destruction behind and with subsequent variants Petya, NotPetya, Nyetya, Goldeneye and Bad Rabbit also affecting thousands of computers even after information on how to avoid them was widely available in the news.
So you would suppose that it must have been a very sophisticated attack. Not really. The attack exploited a vulnerability in Windows' Server Message Block (SMB) protocol. The vulnerability had been discovered by the National Security Agency, who also developed the exploit, but failed to notify Microsoft. Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all supported Windows versions.
The attack took place a full two months after the patch was made available, so how were so many machines infected?
The reason is that most organisations have a very poor regime for patch management resulting in machines being left vulnerable long after the patch has been available to do the fix. It is also the reason why Conficker (released in 2008, the worm caused chaos: it cost one UK authority £1.4m to recover from a Conficker infection in 2009, French fighter planes were grounded because of the worm, and one estimate put the global economic cost of the clear-up at more than $9bn) was still the most commonly detected malware on business PCs (those connected to an Active Directory domain) in the last quarter of 2014 – six years after its release.
Patch Management – will we ever take it seriously?
Perhaps more than anything else, this ransomware onslaught which WannaCry generated was a resounding reminder of the importance of security basics, especially when it comes to Microsoft product patching.
But even now, one year on from WannaCry, and after the many high profile incidents it unleashed and the hundreds of other reported incidents caused by unpatched machines, organisations are still not taking their responsibilities in regard to patching seriously.
This I believe is due to the inherent tension between IT operations and security operations and the fear that patching may cause unforeseen outages. It is also indicative of the blasé attitude towards security in many organisations. If you asked the ex-CIO and ex-CSO of the companies that were affected if they would now take a different approach to patch management, I think you know what the answer would be.
Instead of waiting for the issue to be addressed when a problem occurs it is important to implement and plan for patch management in advance. The key concerns for many companies are in the number of patches and the manpower needed to deploy them.
The benefits of a managed approach to Patch Management
The most effective approach to Patch Management is to give the responsibility to a 3rd party with associated Service Level Agreements, and to do so in conjunction with a comprehensive Vulnerability Management Service (VMS). A good VMS will have full patch deployment as its core objective, but it will also have robust mechanisms for risk mitigation as part of its arsenal against cyber attack.
As part of Zinopy’s Managed Security Services we offer inSIght Vulnerability & Patch Management. This service provides an experienced team of analysts based at our Security Operations Centre (SOC) who identify, classify and prioritise weaknesses and alert clients with real-time intelligence on verified vulnerabilities and the best route to remediate and mitigate against them.
inSIght is powered by industry-leading IBM technology and we have seen a significant interest in the service in the past 12 months from many organisations across sectors and industries.
Watch the video below to learn how IBM BigFix can find and fix problems in minutes with real-time visibility and control into all your endpoints, keeping your company away from the wrong headlines, your data safe and your brand and reputation intact.
Would you like to see for yourself how Zinopy inSIght and IBM BigFix can benefit your organisation? Give us 48 hours and up to 2,000 endpoints and find out what we can do for you!