Josh Zelonis is irritated. The senior analyst at Forrester Research got more frustrated every day that he read coverage of WannaCry, the ransomware strain that ravaged the Internet last month.
Much of the public conversation focused on the NSA, arguing that it shouldn’t have let hackers (a mysterious group called the ShadowBrokers) steal its treasure chest of tools. Zelonis says that the NSA is a red herring.
Companies shouldn’t be blaming the Agency, he says. The theft and subsequent disclosure of NSA tools that exploited the vulnerability code may have made it easier, but it certainly wasn’t necessary, he argues. “This didn’t have to come from a ShadowBrokers drop.”
“One of the chief complaints I have about what happened is that Microsoft released a patch for this over 60 days ago, on March 14th,” he says. “At this point in time, the entire security industry was aware that there was a remote code execution vulnerability in SMB.”
People have been reverse engineering Microsoft patches to create exploits for years, he explains. As soon as the patch was released, the ability to exploit it was public.
“For over two months now, we have known that there was a vulnerability that had been patched in a service that is so pervasive that it would be an ideal candidate for something like this,” he adds.
Going through a rough patch
So, why didn’t people apply the patch, he asks? “Where was the security community?”
The problem is that companies don’t patch instantly, for a variety of reasons. Even companies that are relatively diligent about patching may only roll out updates once each quarter, argues Eldon Sprickerhoff, chief security strategist and founder at security firm eSentire.
He points to companies running embedded versions of XP that are even harder to patch. In healthcare, a sector particularly affected by WannaCry, the situation is particularly bad.
“In a single hospital, it’s not unusual for there to be a few dozen vendors in that system running diagnostic imaging and change management and everything that goes on top of this,” he says.
In many cases, IT staff won’t have access to these systems, and their vendors won’t touch them. “In a 24/7 environment, how do you patch systems that you rely on that you don’t have access to? There are vendors that sold the equipment 10-15 years ago and may have gone out of business,” he adds.
James Scott, senior fellow at the Institute for Critical Infrastructure Technology in the US, agrees, calling healthcare one of the most vulnerable sectors.
“They have more Frankenstein IoT microcosms at each organisation, so even if they have a more secure part of their network, it may be made insecure by a vulnerable device that has been plugged into that network and has no security on it,” he says. That becomes a critical injection point for malware.
Even patching equipment other than non-specialist medical devices can cause problems, though. In Australia, health authority Queensland Health inadvertently shut down the electronic health record systems at its hospitals after installing several software patches from firms including Microsoft, Cerner and Citrix, said to combat WannaCry. The incident sent ward patients back to using pencil and paper, reports said.
What if you can’t patch?
“I don’t think people really have a solid understanding of the challenges behind patch management,” agrees Zelonis. If you’re going to run equipment that is past its end of life or otherwise unpatchable, then you need a plan. “How well known are these problems, and what does it take to really impact and draw attention to that?”
Organizations of all kinds need to follow two broad pieces of advice, he says. The first is to be aware when a critical vulnerability comes out, and enforce patching for that. This entails a degree of risk management that translates ‘can execute code remotely’ into something meaningful for decision makers.
The second piece of advice addresses mitigation methods if you can’t patch.
“In situations where you have systems that cannot be patched, you need to do something about that. You need a strategy to mitigate the risk of having unpatched systems,” Zelonis says.
The ICIT’s Scott points to machine learning as a tool to help solve the malware problem. Vendors are touting AI as a means to capture malicious behaviour before traditional anti-virus scanners detect a problem.
Zelonis highlights virtual patching as one stopgap for systems that, for whatever reason, can’t be patched immediately or at all. He mentions Trend Micro’s solution but we’ve written about others before.
Companies should segment their networks to stop lateral movement in case malware does make its way in, he says. Proper segmentation may also prevent worm-like malware such as WannaCry from spreading throughout your entire network by limiting internal propagation to IP addresses based on a local subnet mask.
None of this is simple, but it’s worth pursuing. Fast-spreading self-propagating malware like WannaCry comes along every couple of years, and it can be devastating. Software patching still stands out as one of four basic cybersecurity practices outlined by the Australian Signals Directorate. In 2017, we should be doing better.