By now, you've probably heard about the ransomware that hit 99 countries across the globe. Recent reports suggests the ransomware was able to spread so quickly because companies had failed to apply application and system patches, indicating many institutions may have to revisit their patch management processes.
The Guardian linked the ransomware to a cache of "cyber weapons" allegedly stolen from the U.S. National Security Agency by a group called Shadow Brokers. The ransomware, called "WanaCryptor 2.0" or "WannaCry," exploited a vulnerability in Windows. Although Microsoft released a patch for that particular flaw, machines without the security update were susceptible to WannaCry.
WannaCry Details and Patch
Once a hacker uses WannaCry to infect a machine, it encrypts all of the files on the computer, notifying the owner that he or she will not be able to access those files unless the victim pays $300 in Bitcoin to a specific web address. You can see the actual message in the tweet below:
— Forbes (@Forbes) May 15, 2017
As mentioned, Microsoft already created a patch for WannaCry. Microsoft Security Bulletin MS17-010 - Critical explained the vulnerability is associated with the manner in which the Microsoft Server Message Block 1.0 (SMBv1) server handles specific requests. A hacker could exploit this flaw to develop a special packet and send it to an SMBv1 server.
Microsoft did provide a workaround for organizations running Windows 8.1, Windows Server 2012 R2 and later versions that cannot implement patches in the immediate future. For example, sysadmins managing Windows Server can go to Server Manager, click the Manage menu and select "Remove Roles and Features." In the features windows, sysadmins need to uncheck the SMB1.0/CIFS File Sharing Support, click OK, and restart their servers.
According to separate story from The Guardian, WannaCry impacted operations at FedEx, Spanish telecom Telefónica, and the U.K.'s National Health Service. In fact, the NHS had to cancel operations, X-rays and other services as a result of the ransomware.
To protect themselves from future, inevitable ransomware attacks, affected companies should review their application patch management practices to identify opportunities for improvement.
Reassessing Your Patch Management Process
There are a number of things organizations can do to improve their patch management processes. The first step involves cataloging all of the systems they manage and run.
Research from Tripwire found most IT professionals either struggle to keep up with, or are "completely overwhelmed by" how many patches they need to address. Cataloging systems allows administrators to figure out which patches apply to which technologies. The patch management system should, ideally, automatically send patch alerts from software companies to the catalog. That way, sysadmins don't have to manually enter available updates.
The catalog must also possess a severity rating system similar to the one Microsoft uses to designate patches. For example, the software company uses four ratings:
- Critical: Vulnerabilities that allow malicious parties to execute code on a machine without having to interact with the owner of the machine.
- Important: Flaws that could enable hackers to steal or manipulate a user's data or a machine's computing resources.
- Moderate: Bugs that are tempered by authentication requirements.
- Low: Vulnerabilities that have a negligible impact on the system's integrity.
Organizations can use whatever rating system is most applicable to them. If the company in question typically uses Microsoft technologies, the aforementioned classification system may be the best option.
Patch management is, obviously, a complicated process. Organizations may benefit from getting outside opinions as to what's wrong with their current procedures and how to implement improvements. Third-party perspectives may reveal issues internal staff didn't even know to look for. After they identify those deficiencies, you can take corrective action.