Patching and Policy Lessons Learned from WannaCry

Written by

The UK’s National Cyber Security Centre (NCSC) dubbed the WannaCry outbreak as the biggest test of 2017,  after it wreaked chaos across the world, hitting more than 230,000 computers in 150 countries and crippling National Health Service (NHS) Trusts, specifically in the U.K. 

On May 12, 2017, this unique strain of malware, combined with EternalBlue—a leaked National Security Agency (NSA) hacking tool—allowed the virus to spread at the speed of light. This potent combination meant that WannaCry could use worm-like capabilities to self-propagate on vulnerable Windows operating systems. 

In the end, 338 victims paid the demanded ransom, but the true impact of WannaCry shook far beyond the $140,000 that the attackers cashed out in August. The scale of this outbreak highlighted the dangers of cyber-attacks in a way that hadn’t been impressed upon organizations before. 

Stopping a sinking ship
Looking back, the impact of this particular breach was primarily felt by so many and so strongly because of the sheer volume of Windows users in organizations all over the world. Yet, this large-scale, global attack could have been minimized by something as simple as a routine patch test.

It hammered home the point that IT professionals need to become more mindful of the consequences of not rolling out patches regularly. Sure, patches are thought of as a protective measure, but if they aren’t installed and rolled out frequently, this can be the same as having a massive sign hanging over your organization showing cyber-criminals exactly where to hit so it hurts the most.

For them, it becomes as simple as scanning online public databases, which will throw up an array of vulnerabilities, leaving hackers free to exploit them. Without these regular, routine updates, these databases can become a handbook that anyone can pick up to get in and breach your data. IT and cybersecurity professionals that don’t make patching a priority are essentially shining a light on their organization’s weaknesses. 

It’s easy to see how patching might be forgotten. Typically, in smaller organizations, IT professionals are forced to wear multiple hats, making them responsible for a breadth of activity that would, in a larger enterprise, be divided across an entire department. This includes everything from cybersecurity and networking, to cloud migration, monitoring, and reporting.

Even if it’s an immediate concern, patching can be an additional cost weighing down already tight budgets for organizations that don’t currently have the proper tools, systems, and processes in place.

The cost of downtime vs. the cost of staying down
While patching is important, the process to implement it is not always straightforward. In today’s always-on world, downtime is not an option. Applications and servers need to be online 24 hours a day, 365 days a year, and 100% available, in order to avoid unhappy customers and potential lost revenue.

For IT professionals, it might seem that patch installation times will affect this—at least temporarily while applications and services go down for tests. Sure, the resulting downtime can be costly, but the key thing to remember is that, with patching, we’re talking about losing a few hours through a process that’s entirely within the organization’s control and that can be arranged at a time that causes the least disruption. It’s worth taking a moment to consider the alternative. 

Moving forward 
Although software patching is critical for IT security, IT administrators managing this process can spend an exorbitant amount of time manually applying and tracking updates across an entire IT infrastructure to each individual device. Instead, many choose to automate this process, not only for software patching, but enabling adjustments to servers and workstations from a centralized location.

Automated solutions can be used to bridge the gaps made by manual patching efforts. By automating servers and workstations, IT professionals can reduce security risks, as well as limit service interruption—through manual patching—all the while, ensuring that patches are applied where and when they need to be.

With this, IT professionals can stay on top of vulnerabilities and produce summary reports that show patching status from across the organization, without needing to take long periods of time to manually update each server.   

A watertight cybersecurity strategy 
Today, cybercrime is becoming more and more prevalent. A watertight cybersecurity strategy is much like insurance—you don’t think you’re going to need it until you do. It will ultimately fall to IT professionals to ensure that cybersecurity stays top of mind and central to an organization’s assessment of its financial health.

Attacks like WannaCry sent shockwaves across the world, showing the potential impact of hacks and breaches. These landmark attacks are an important reminder of what can happen when things go wrong and carry important lessons for IT professionals looking to protect their organizations—with patching being front and center.

What’s hot on Infosecurity Magazine?