In the wake of the global WannaCry ransomware attack that hit hundreds of thousands of computers across more than 100 countries, security researchers continue to warn of more dangerous malware that are similarly borne from the cache of hacking tools stolen from the US National Security Agency (NSA).
Wannacry has since inspired the Petya attack, which infected machines worldwide, initially via compromised updates to a Ukrainian tax accounting software.
A common preventive measure against ransomware is to train users to detect phishing links. But Wannacry and recent attacks do not rely on email as the main infection vector although they may be delivered via email attachment. With Wannacry, the worm that is packaged as part of an exploit tool called Eternalblue does the work of spreading the ransomware through a known Server Message Block vulnerability in Windows.
Microsoft released patches for the vulnerability in March for all supported operating systems. But enormous numbers of machines worldwide still running the no-longer-supported Windows XP are left vulnerable to the attack.
Similarly, Petya leverages a combination of stolen credentials and the EternalBlue exploit to disrupt computer systems in more than 60 countries. But unlike Wannacry, it is more a wiper than ransomware, seemingly aimed at disrupting systems than reaping financial gain.
Dave Farrow, senior director of Information Security at Barracuda Networks, highlighted another inconvenient truth. “Responsibly disclosing vulnerabilities and creating patches are just the beginning of the solution,” he said. “Without the processes and resources, to regularly apply system updates and to deal with the things that break – before it’s an emergency – simply accepting the risk of running unsupported software will frequently remain more palatable than the alternative.”
So, there is no guarantee that computers still receiving vendor updates and support are immune to the outcome of the WannaCry and Petya attacks. A recent survey conducted by Enterprise Management Associates found that 74% of cybersecurity professionals report being overwhelmed by the volume of vulnerability maintenance work they face while 79% of them rely on patching approval process that is mostly manual.
Hence, the problem lies with the whole patching process. Most major attacks in the past few years have targeted known vulnerabilities for which patches existed before the outbreaks.
Indeed, the moment a patch is released, attackers make a concerted effort to reverse engineer the patch swiftly, identify the vulnerability, and develop and release exploit code within days or hours. Ironically, the time immediately after the release of a patch is a particularly vulnerable moment for most organizations due to the time lag in obtaining, testing, and deploying a patch.
“Every organization on this planet has an upper limit to their patching speed,” Anton Chuvakin, research VP and Distinguished Analyst at Gartner, once suggested. “If you can work really hard and shrink your patching window from 90 days to 30 days, meanwhile the attacker gets in within 3 days of patch release date, is your work really justified? Maybe other safeguards should be considered instead.”
For instance, Chuvakin urged organizations to mitigate more, especially if they cannot fix the issue and cannot accept the risk. “Generally, [organizations don’t do that] because mitigation, some call it ‘virtual patching’, requires controls and controls cost money and/or time to understand, deploy, manage, update, tune, et cetera,” he said.
This reminder is timely given that many organizations, due to various reasons and factors, never get around to implementing a patch at all. But investing time and money on controls enables virtual patching that can be done faster than manual patching and sometimes without system owner participation.
At present, the US National Institute of Standards and Technology recommends that organizations deploy enterprise patch management tools using a phased approach; keep patching solution components tightly secured and up-to-date as well as test them before deployment; and balance the need to get patches applied with the need to ensure service reliability and availability.
In the aftermath of the WannaCry and Petya attacks, a mature patch and vulnerability management program would make the company more proactive than reactive to deal with future types of ransomware.
Jonathan Tanner, Barracuda software engineer and security blogger, also advised organizations to keep current on updates, especially on technologies that have a history of multiple vulnerabilities and maintain active subscriptions on anti-virus solutions.
“Deploy a powerful email security gateway to protect your users from these attacks,” Tanner added. “Back up all of your data on a regular basis.” Only by understanding the risk of cyberattack; maintaining user training and awareness initiatives; and establishing a well-tested disaster recovery plan can organizations ensure end-to-end protection of critical business data.
This is a QuestexAsia feature commissioned by Barracuda Networks.