The adage “You can’t afford to advertise, but you can’t afford not to” could well be applied to patch management. The WannaCry/WannaCrypt ransomware malware attack that has spread across the globe has highlighted the need for keeping Windows OS up to date. Many organizations still underfund their patch management efforts and some still operate under the “I don’t want to be first” method of patching. This attack illustrates the need for swift patching. Exploits are coming out too fast to wait and see if the patch is safe. And for those still running Windows XP (unsupported since April 2014) it was just a matter of time before this happened.
Organizations and individuals that deploy basic and timely patch management techniques are protected from this attack. Microsoft released the fix in March of this year, before the exploit first showed up in April.
In this attack, ransomware is only half the story
The WannaCry code may have been able to work even on patched and updated computers, IF it had been installed correctly. Cybercriminals may target a specific organization and find ways to get the ransomware installed on internal systems, such as database servers. This can be done through social engineering techniques (e.g. tricking an employee to open an attachment or clicking a link in an email). But the criminal groups that deployed this attacked combined the ransomware with a worm that exploited a SMB vulnerability in the Windows operating system. The worm allowed the malware to spread through unpatched computers (desktops and servers) in over 100 countries.
Unfortunately, the vulnerability was allegedly discovered by the National Security Agency in 2014 but was never reported to Microsoft because the NSA and Central Intelligence Agency decided to keep the exploit as part of its cyber toolkit to spy on others. That toolkit was hacked, stolen, and made available for sale in April 2017 by WikiLeaks and a group called the Shadow Brokers.
Regardless of who carries blame, the bottom line is this disaster could have been prevented with basic upgrade and patching policies. Organizations that are hesitant to install patches for any reason may want to re-think this practice and base it on a realistic assessment of risks.
Patch management: no different from other important policies
Patch management should blend with other policies such as Backup and Recovery, Incident Response, and Disaster Recovery. Consider and assess the risk of applying patches as you would any other threat and plan for it accordingly. What you need to do:
- Make sure the backup can recover the server in a tolerable amount of time (based on risk assessment or business impact analysis).
- Perform backups before patching.
- Include actions in your incident response and disaster recovery plans to recover a system impacted by a bad or improperly installed patch.
- Invest in patching, backup, and recovery infrastructure at your organization (remember the “can’t afford not to advertise analogy).
Here are actions to take to protect you organization from the next WannaCry/WannaCrypt-style outbreak:
- Block Server Message Block (SMB) ports, (particularly ports 139 and 445) from external hosts, along with User Datagram Protocol (UDP) ports 137 and 138, from the local network to the wide area network.
- Keep anti-virus software up to date should be standard practice.
- Whitelist the applications allowed to run on your servers or desktop using AppLocker or other white listing products.
No one security measure is foolproof. But patch management is an important and fundamental action and should be at the forefront of any organization’s layered security defense methodology. If you would like help analyzing your current patch management or security policies, our IT experts can share specific insights to help your organization.