Protect Your Unpatched Systems Against Malware
What do the Melissa virus, ILOVEYOU worm and the WannaCry ransomware have in common? After patches were made available, they were still successfully spreading. Secondary storage also played a role in these infections. As malware evolved from nuisance to profit-driven, secondary storage became less of an infection vector and more of an opportunity to ransom data.
I choose to highlight Melissa somewhat randomly, but mostly because it was 18 years ago and basic information security hygiene can still elude us. Conficker should get an honorable mention, as it is still one of the most common pieces of malware in the wild–despite having been patched back in 2008.
If you have been reading the Verizon’s 2017 Data Breach Investigations Report over the years, then this year’s report that over half of breaches included malware that exploits previously patched issues may not have been a surprise. However, lack of patches are only part of the basic infosec hygiene that led to these breaches. The report also found that 81% of hacking-related breaches leveraged stolen and/or weak passwords.
Get Back to the Information Security Basics
Although it can be easy to point a finger at the patching practices of an organization, IT and Security operations are complicated, varied and need to remain transparent to the business side. Patching is hard and not without issues. Take, for instance, the May 2017 Windows 10 Cumulative updates that left many facing more issues than they had prior to patching. Or the Windows 10 update that took machines offline. These are among the reasons organizations cannot patch immediately.
Unpatched machines and weak passwords are far from advanced persistent threats (APT). In fact, no amount of Cognitive Machine Learning, 4D, Blockchain, Natural Language, and Next-Gen IoT Potato Security platforms would have simply and inexpensively stopped or lessened the impact. Don’t get me wrong. There is a real need for emerging security technologies. However, their efficacy depends on, and in many cases even assumes, that the basics have been addressed.
So let’s get back to the basics. At a high level, there are two places we must begin:
- Improving processes so problems are anticipated and prevented
- Planning for success by gathering facts about current state, desired state and the gaps that needs to be met
There is simply no escaping the need to automate process improvements in a mature systems governance program. A layer down from process improvement and artifact gathering are the tasks that must be automated:
Develop an Effective Patch Management Process
Develop an up-to-date inventory of all production systems. This requires:
- OS types (and versions)
- IP addresses
- Function/Application dependencies (parent & child)
Maintain a patch ledger & acquire patches
- Subscribe to notifications that alert you to patches as they are made available
Validate & report
- Validate systems received patch and have been successfully restarted
- Report systems that have not been patched
Vulnerability and patch management isn’t easy. In fact, it is growing in complexity and remains a never-ending cycle. By getting back to the basics, you’ll be ahead of the curve when the next malware event occurs.
To automatically find and fix your unpatched systems, please download our free Shadow Brokers Vulnerability Utility: http://go.stealthbits.com/shadow-brokers-vulernability-utility
Don’t miss a post! Subscribe to The Insider Threat Security Blog here: