By now, you’ll know all about WannaCry – a ransomware attack that ran rampant late last week and over the weekend. While ransomware attacks suck – they can cost a lot to recover from whether you measure that in ransoms or time lost in recovery – the worrying thing about WannaCry was the attitude of many organisations when it comes to updates and patching.
A great explanation of WannaCry’s modus operandi by Troy Hunt was published over the weekend.
It’s important to note the computers that were vulnerable to this attack fell into two main groups: those running Windows XP and those running Windows 10 but weren’t patched.
I understand the pain of upgrading operating systems in large environments. And I know it can be challenging, particularly in resource-poor businesses, to have the systems and manpower to keep everything patched. But WannaCry is an object lesson in what happens when we don’t carry out basic cyber hygiene.
The ASD Essential Eight security recommendations include patching as a critical risk mitigation activity. And when you look at most of the security reports released by both vendors and independent researchers you see that the very vast majority of successful attacks occur through CVEs that have been patched but the patches haven’t been applied.
Windows XP came out of support over three years ago. And Windows 10 was patched for the vulnerability exploited by WannaCry two months ago.
I believe the rapid spreading of WannaCry and its impact on the healthcare industry, which was heavily targeted, should act as a wakeup call for all businesses.
It’s no longer enough to say moving to newer software is too hard or that patching is a pain. The risks of attack are real but they can be mitigated. They might ever be completely removed but you can make it as hard as possible for the bad guys.
When a cyber-attack is financially motivated, the most effective defence is to make the cost of attack so high that it’s not economically viable for the threat actor. That means making life hard. Up-to-date operating systems that are patched and robust end-point security software are critical. If you must run legacy software then look for ways to isolate it from external threats.