This recent ransomware attack, which also hit parts of the NHS, has highlighted a number of problems the IT security industry already knew about. WannaCry spread incredibly quickly and was only deactivated by accident, something we can be incredibly grateful for.
Let’s look at some things it reminded us.
Not everyone patches (or on time)
An exploit addresed by MS17-010 was used to spread the malware, and a patch for this was released in March’s round of patch Tuesday – almost two months ago. Although the exact number of infected machines is not known, it is apparent that a large number of devices remained unpatched.
Some companies have an instant approach to patching, rolling out the updates as soon as they are available. Clearly, this scheme has some risk when a patch is found to cause problems. Other organisations stage their patch roll outs, meaning their test or development environments might receive the update first. I’ve worked in risk-averse environments where production systems are over six weeks behind with their patches.
Further systems remain unpatched as “updates only cause problems”, quite a short sighted view (there are ways to mitigate the problems) and one that hopefully IT managers are moving away from given the latest news.
IT departments need to prepare for upgrades
Users of Windows 10 were not affected, and you can argue that is a recent Operating System (OS). It should be remembered, though, that some organisations are still running Windows XP / Server 2003 (the NHS and Natwest for example) for which support ended in 2014. IT departments need to consider when software goes end-of-life and prepare for upgrades in good time.
If an upgrade genuinely is not possible, steps need to be taken to mitigate the risk.
User education is a must
The most expensive firewall or anti-virus solution can be thwarted by a single human who is tricked into clicking on a link or opening an attachment. Training users is key to ensuring colleagues are an information security asset, rather than a liability.
Backups are essential
With ransomware options are limited: pay up, restore from backup, or refuse to pay and lose your data (possibly forever). Backing up to another location is essential but that backup has to be disconnected so it does not get encrypted at the same time. Not only that, but the backup needs to be tested to prove a restore is even possible.
Responsible disclosure is the process of letting a vendor know about a vulnerability, and giving them a reasonable period of time to fix the problem before going public with the details. In the case of WannaCry, the vulnerability is said to be one the NSA found and kept to themselves rather than reporting to Microsoft. Unfortunately for the NSA they then lost the details, leading to a public disclosure and, now, large problems. There is another ethical question around the leaking of these details – another opportunity for responsible disclosure missed.
It is not a question of “if” but “when” our data is lost, stolen or corrupted and how we handle the situation is of critical importance. At the very least, have a decent, recent and tested backup on disconnected media ready to go.
Responsible disclosure will help our systems become more secure, but everyone needs to practice it for it to be most effective.
We would like to thank Jonathan Haddock for this guest post.