WannaCry, Ransomware and Why CIOs Must Prioritize Patching
09 Aug. 2017 Trending
“WannaCry”- the global cyber-attack in May affected more than 230,000 organizations in 150 countries. The ransomware attack targeted companies and computers using Microsoft Windows OS by encrypting data and demanding high ransom in Bitcoin cryptocurrency. Parts of Britain’s National Health Service (NHS), Spain’s Telefónica, FedEx and Deutsche Bahn were hit severely, even leading to operations being cancelled and denial of treatment to patients.
WannaCry ransomware uses a flaw in Microsoft’s software which was discovered by the National Security Agency and leaked by hackers. Ransomware (demanding payment after launching a cyber-attack) is one of the top cybersecurity threats of 2017 and there are several imminent threats and dangers lurking that set the alarm bells ringing.
Is Patching Worth The Trouble?
The incident has revealed the extent of havoc that can be wreaked by software vulnerabilities and serves as a clarion call for CIOs and CTOs toward the importance of safeguarding software. Especially when patches are available for specific vulnerabilities. While there was a lot of naming, shaming and blaming post the recent attack for failing to apply patches, cybersecurity experts say that the math of prevention is not so simple.
No Match For Patch
The attack has sent IT departments into panic mode. While CIOs and CISOs take preventive measures and try to mitigate the damage, not every organization is keen to patch and have a long-drawn out process to decide whether patching is worth the expenditure. Typically, IT departments conduct scheduled patching courses and upgrades for the hundreds of applications they use. Before they roll out updates however, they need to conduct regression testing to make sure the custom software continues to work with the update.
However, one of the most painful and costly aspects of patching – confirming compatibility with in-house software – is a daunting proposition. This is the reason why many CIOs and organizations are wary of software patching and tread with the utmost caution – leading to delays and oftentimes security risks.
Many seemingly small patch upgrades such as an IE upgrade can sometimes lead to seven-figure-amounts in expenses to meet the requirements. Organizations need to take a calculated yet proactive approach for testing and rolling out patches. It is time consuming, costs a lot of money, and may break some dependencies. They need to be prepared for all of these, for the greater good of mitigating security risks.
But testing the patch updates for incompatibilities is not optional. Any organization that breaks a mission-critical app while conducting an un-tested patch, may have to shut down vital applications resulting in heavy financial and operational damage.
Best Practice and Processes For Patching
Security patch updates need to be driven carefully considering and computing the expected benefits/ROI. The cost must be measured against the damage that an unplugged vulnerability can cause. This is not an exact science and requires sound estimation and guesswork. Security conscious companies, therefore have a mandatory patching policy to create a comprehensive risk management model for all their systems.
When vendors release patches outside the normal patch cycle, it disrupts the schedule that companies follow for managing updates. For instance, when Microsoft released MS17-010 on March 14, many IT departments chose to wait until the next patching cycle to implement it. Not surprisingly, a large number of companies were affected so severely by WannaCry; they didn’t patch when the upgrade was made available.
The risk is particularly high for companies that run a large number of legacy apps – some of which are two or more decades old, where the developers may not be around or available to help. In fact, the recent cybersecurity order issued by the Trump government aims to improve US systems and critical networks by phasing out antiquated systems. But organizations can’t close their eyes to the security risks that this poses. CIOs need to recalibrate their IT processes to take a much more aggressive approach to patching. It might also be worth reviewing the cost of application modernization, to ensure more resilient and stable IT architecture.
An estimated of 5,000 new vulnerabilities are detected every year and CIOs can’t patch each and every gap, so they must rank the ones that pose the greatest risk, test them and roll out the upgrades as soon as feasible. It is recommended to apply emergency patches as required, ensure that PCs run the current version of OS, manage the anti-virus well to include the latest virus definitions and always have a plan B as in backup.