The WannaCry ransomware worming its way through thousands of corporate Windows computers is a sober reminder of the importance of safeguarding software, particularly when patches become available for critical vulnerabilities. And while it’s easy to shame affected companies for failing to patch their software, cybersecurity experts say the calculus is much more difficult. Regardless, the experts agree that Wannacry was serious enough that it warranted immediate patching.
Quick recap: Last Friday, hackers unleashed malware that began spreading among computers, shutting them down by encrypting data and then demanding a ransom of $300 to unlock them. This ransomware, built with the EternalBlue Server Message Block worm hackers stolen from the National Security Agency,impacts computers running Windows 7 and Windows XP.
Microsoft issued a security update to stop WannaCry from impacting Windows 7 on March 14. It released a similar patch for Windows XP, which the company ceased supporting in 2014, over the weekend. But WannaCry’s spread has been swift, with more than 200,000 computers at FedEx, Renault, the National Health Service (NSA) and other organizations spanning 150 countries falling prey to the ransomware. And WannaCry could signal the beginning of a broader attack as a variant
of the ransomware began impacting computers on Monday.
To patch or not to patch
The news has thrown IT departments into chaos. As CIOs and CISOs scramble to mitigate damage, it’s worth exploring the process enterprises use in deciding whether to patch or not.
Mike Viscuso, CTO of cybersecurity firm Carbon Black and a former NSA analyst, says that IT departments teams conduct monthly or quarterly courses of patching and upgrades for dozens or even hundreds of applications they’ve developed in-house. Prior to rolling out patches, IT departments conduct regression testing to ensure their custom software will still work with the new code.
Troy Hunt, a Microsoft regional director who conducted multiple OS and browser upgrades while working at Pfizer, says one of the most painful and costly parts of patching was ensuring compatibility with existing software.
“The last one I recall was simply an Internet Explorer upgrade and the cost of rectifying nonfunctional web apps within the organization was a seven-figure amount,” Hunt wrote on his blog. “Organizations need to be proactive in monitoring for, testing and rolling out these patches. It’s not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse.”
Failing to test patches for incompatibilities is risky, Viscuso says. For instance, if a financial services firm breaks a crucial high-speed trading application while conducting an upgrade it will have to shut down the application and fix the code, costing the company potentially tens of millions of dollars of downtime.
Damned if you do …
But failing to keep up with patching also courts risks.
When a vendor launches a patch outside of its normal patch cycle, as Microsoft did when it released MS17-010 on March 14, it disrupts the cadence that companies have built into their IT and business processes. Viscuso says many companies wait until the next patching cycle to roll out something. That’s why so many companies were impacted by WannaCry; they simply didn’t patch when Microsoft made its upgrade available.
Patching the vulnerability that cracked open the door to WannaCry was no-brainer despite the challenges it presented because it was capable of being exploited remotely, says Steve Grobman, CTO of security software maker McAfee. Simply making a network connection with a machine introduced the threat.
But because this patch dealt with the Server Message block — the part of the OS that enables file-sharing — the likelihood of breaking applications during patching was also high. The risk was particularly steep for organizations with large numbers of legacy applications, some of which were two or more decades old, whose developers may no longer be alive, Grobman says. For that reason, many companies simply elected not to patch.
“They’ve been leaving the pot on the stove while they go to work for many years and there hasn’t been an issue,” Grobman says. “When you exhibit risky behavior just because something bad doesn’t happen shouldn’t imply something risky isn’t couldn’t happen.”
Grobman expects CIOs will recalibrate their IT processes to take a much more aggressive approach to patching. This is important at a time when the Shadow Brokers hacker collective that claims to have stolen EternalBlue and other exploits from the NSA, says that more exploits are on the way.
But with roughly 5,000 new vulnerabilities emerging every year, it will be impossible for CIOs to patch every hole, says Carbon Black’s Viscuso. He says that CIOs must rank the ones that pose the greatest threat to their businesses, test them and schedule upgrades.
The takeaway for CIOs: Keep your work computers updated with patches on a regular basis and apply emergency patches as needed. Ensure PCs are running a current operating system and manage your anti-virus software to maintain updated virus definitions. Back up PCs and servers nightly so if ransomware does get into your network, you can restore resources quickly.