The spread of the WannaCry ransomware, which to-date has affected more than 200,000 computers worldwide has, perhaps unsurprisingly, led many businesses to think about the effectiveness of their information security.
WannaCry, also known as WanaCrypt0r 2.0 and WCry 2, is designed to take advantage of an exploit in the Windows Operating System affecting all versions up to and including Windows 8. A free update to address the flaw was released by Microsoft in March this year but crucially this did not originally include a fix for XP – an old version of the OS still running on an estimated 140 million computers but not supported without a custom plan in place with the company.
The problem of keeping systems up-to-date
Keeping infrastructure regularly updated to protect against the latest threats is undoubtedly an important part of IT management. Consequently, while it is easy to pass harsh judgment on those businesses that fail to have strict procedures in place, it’s important to recognise that for many organisations, system maintenance it isn’t always as easy as enabling automatic updates or clicking ‘upgrade’.
As in the case of organisations like the UK’s National Health Service that have large IT estates and/or lots of highly technical systems and specialist equipment, updates could result in many unintended consequences. Fears of widespread service disruption is a key reason that updates are not always installed in a timely manner and in the case of operating system upgrades, delays can be indefinite.
Due to often stretched in-house resources, testing the effect of software upgrades and patches before and after they are applied can be very labour intensive and is often unable to recreating all use cases and scenarios. Many updates can require systems to be rebooted but scheduling downtime can often prove extremely difficult, especially in 24/7 operations where every second of lost time can cost productivity and, in extreme cases, lives.
Understanding information security risk
To begin implementing a successful patch management strategy designed to keep business disruption to a minimum, organisations need to fully understand their level of information security risk. Assigning ownership of patch management to an individual or team is a good starting point, however, given the time-consuming and complex nature of the task, it can also prove beneficial to enlist independent expertise.
Support from a specialist cyber security provider such as Redscan could help an organisation to conduct regular assessments of infrastructure, define, identify and classify vulnerabilities across its estate, and provide the leadership needed to drive adoption of policies, procedures and controls.
In cases where it might not be possible to implement patches immediately, a managed cyber security company could recommend and implement supplementary controls to mitigate the risk of incurring any lengthy deployment delays.
Mitigating threats with managed detection
One increasingly valuable solution to help mitigate information security risk could include a managed threat detection and response (MDR) service. Rolling expert security technology, intelligence and personnel into a monthly subscription service, MDR is designed to proactively identify malicious threats such as malware and provide the vital assistance to lock down threats before they spread.
With breaches now an operational reality for business of all sizes and the incoming Global Data Protection Regulation (GDPR) enforcing a large fine for organisations that failure to implement appropriate information security controls and respond swiftly to breaches, an MDR service such as ThreatDetect could help to provide an additional layer of defence.
Being prepared for the next attack
The damage and disruption caused by the WannaCry ransomware acts as an important wake up call to organisations everywhere about the need to put in place firmer cyber security controls.
Implementing effective security procedures, such as highly controlled patch management, isn’t easy. By taking ownership of the situation, raising company-wide awareness of cyber security and calling upon the help of specialist personnel it is possible to adopt a more mature approach to security.
Cyber threats will continue to evolve to exploit new vulnerabilities but by being proactive rather than reactive it’s possible to greatly reduce the damage that attacks can cause.