{"id":7640,"date":"2017-05-14T18:00:35","date_gmt":"2017-05-15T02:00:35","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/05\/14\/news-1425\/"},"modified":"2017-05-14T18:00:35","modified_gmt":"2017-05-15T02:00:35","slug":"news-1425","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/05\/14\/news-1425\/","title":{"rendered":"WannaCry & The Reality Of Patching"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Mon, 15 May 2017 00:46:55 +0000<\/strong><\/p>\n

\"\"<\/p>\n

[Editors note:<\/strong> For the latest WannaCry information as it relates to Trend Micro products, please read this support article<\/a>.]\u00a0<\/em><\/p>\n

<\/b>The<\/span> WannaCry<\/span><\/a> ransomware<\/span> variant of 12-May-2017<\/span><\/a> has been engineered to take advantage of the most common security challenges facing large organizations today. Starting with a basic phish, this variant uses a recent vulnerability (<\/span>CVE-2017-0144<\/span><\/a>\/<\/span>MS17-010<\/span><\/a>) to spread unchecked through weaker internal networks, wreaking havoc in large organizations.<\/span><\/p>\n

\n

Check out this NYT post, they made a really cool time based map with my data https:\/\/t.co\/K7lVjagq29<\/a><\/p>\n

— MalwareTech (@MalwareTechBlog) May 13, 2017<\/a><\/p>\n<\/blockquote>\n

The gut reaction from those on the sidelines was\u2013understandably\u2013\u201dWhy haven\u2019t they patched their systems?\u201d Like most issues in the digital world, it\u2019s just not that simple. While it\u2019s easy to blame the victims, this ransomware campaign really highlights the fundamental challenges facing defenders.<\/span><\/p>\n

It\u2019s not the latest zero-day\u2014a patch for<\/span> MS17-010<\/span><\/a> was available 59 days <\/span>before<\/b> the attack\u2014or persistent attacker. One of the biggest challenges facing the security community today is effectively communicating cybersecurity within the larger context of the business.<\/span><\/p>\n

Patch\u2026Now<\/b><\/h2>\n

A common refrain in the security community is that patching is your first line of defence. Despite this, it\u2019s not uncommon for it to<\/span> take 100 days<\/span><\/a> or<\/span> more<\/span><\/a> for organizations to deploy a patch. Why?<\/span><\/p>\n

It\u2019s complicated<\/span><\/a>. But the reason can be boiled down roughly to the fact that IT is critical to the business. Interruptions are frustrating and costly.<\/span><\/p>\n

From the user\u2019s perspective, there is a growing frustration with the dreaded \u201cConfiguring updates. 25% complete. Do not turn off your computer\u201d screen. The constant barrage of updates is tiring and gets in the way of work. Making matters worse is the unpredictable nature of application behaviour post-patch.<\/span><\/p>\n

About 10 years ago, \u201cbest practices\u201d formed around extensive testing of patches before deploying them. At this time, the primary motivator was patch quality. It wasn\u2019t uncommon for a patch to crash a system. Today, patches occasionally cause these types of issues but they\u2019re the exception <\/span>not<\/b> the rule.<\/span><\/p>\n

The biggest challenge now is custom and third party applications that don\u2019t follow recommended coding practices. These applications might rely on undocumented features, unique behaviours, or shortcuts that aren\u2019t officially supported. Patches can change the landscape rendering critical business applications unusable until they too can be patched.<\/span><\/p>\n

This cycle is why most businesses stick to traditional practices of testing patches, which significantly delays their deployment. Investing in automated testing to reduce deployment time is expensive and a difficult cost to justify given the long list of areas that need attention within the IT infrastructure.<\/span><\/p>\n

This unrelenting river of patches makes it difficult for organizations to truly evaluate the risks and challenges of deploying critical security patches.<\/span><\/p>\n

Legacy Weight<\/b><\/h2>\n

The argument around patching assumes\u2014of course\u2014that a patch is actually available to resolve the issue. This is <\/span>the zero-day<\/span><\/a>. While the threat of zero-days is real, long patch cycles mean the 30-day, 180-day, and the forever-day are far more likely to be used in an attack. The<\/span> Verizon Data Breach Investigations Report<\/span><\/a> consistently highlights how many organizations are breached using exploits of patchable vulnerabilities.<\/span><\/p>\n

The WannaCry campaign used a vulnerability that was publicly known for 59 days. Unfortunately, we\u2019ll continue to see this vulnerability exploited for weeks\u2014if not months\u2014to come.<\/span><\/p>\n

Making matters worse, MS17-010 was only patched on supported platforms. A position that Microsoft has since reversed and<\/span> issued a patch for all affected platforms<\/span><\/a> (kudos to them for making that call). While it\u2019s logical only to provide patches for supported platforms, the reality is the \u201csupported\u201d number is far different than the \u201cdeployed\u201d number.<\/span><\/p>\n

We know that Windows XP, Windows Server 2003, and Windows 8 continue to live on – by some reports accounting for<\/span> 11.6% of Windows desktops<\/span><\/a> and<\/span> 17.9% of Windows servers<\/span><\/a>. That\u2019s a lot of vulnerable systems that need to be protected.<\/span><\/p>\n

There are third party security solutions (some from Trend Micro) that can help address the issue, these legacy systems are a weight on forward progress. As a system ages, it\u2019s harder to maintain and poses a greater risk to the organization.<\/span><\/p>\n

Malware, like the 12-May-2017 WannaCry variant, takes advantage of this fact \u00a0to maximize the success and their attack\u2026and their potential profits.<\/span><\/p>\n

Security teams need to help the rest of the IT teams explain the need to invest in updating legacy infrastructure. It\u2019s a hard argument to make successfully. After all, the business processes have adapted to these systems and from a workflow process, they are reliable.<\/span><\/p>\n

The challenge is quantifying the risk they pose (maintenance and security-wise) or at least putting this risk in the proper perspective in order to make an informed business decision.<\/span><\/p>\n

Critical\u2026For Real<\/b><\/h2>\n

All too frequently, vulnerabilities are flagged as critical.<\/span> 637 and counting<\/span><\/a> so far in 2017, which is a faster pace than the<\/span> 1,057 reported in 2016<\/span><\/a> (and these numbers are only for remotely exploitable vulnerabilities!). Your organization is not going to be impacted by all of these, but it\u2019s fair to say that you\u2019ll face a decision about a critical vulnerability once a month.<\/span><\/p>\n

To make the decision to disrupt the business, you\u2019re going to have to evaluate that impact. This is where organizations tend to falter. It\u2019s extremely difficult to boil the decision down to numbers.<\/span><\/p>\n

In theory, you should take the cost of downtime (when deploying the patch) and compare it to the cost of a breach.<\/span> Ponemon and IBM<\/span><\/a> have the cost of a data breach in 2016 at an average of $4 million USD (<\/span>4% of worldwide turnover<\/span><\/a> for EU companies). This means that you should always patch unless the downtime cost is more than$4 million.<\/span><\/p>\n

Except<\/b> that it doesn\u2019t factor in the probability of that breach happening or the cost of using security control to mitigate the issue. This is where it gets really complicated and highly individualized.<\/span><\/p>\n

The debate on how to properly evaluate this decision rages on in the IT community, but specific to WannaCry, the equation was actually pretty straight forward.<\/span><\/p>\n

Microsoft issued<\/span> MS17-010 in March, 2017<\/span><\/a> and flagged it as critical. A month later, there was<\/span> a <\/span>very high profile and very public data dump<\/span><\/a> that contained an easy to understand and execute exploit for the vulnerabilities patched by MS17-010. At this point, the security team can guarantee that their organization will see attacks taking advantage of this vulnerability.<\/span><\/p>\n

That puts the probability of attack at 100 percent. So unless it\u2019s going to cost $4 million to patch your systems, the patch should be rolled out immediately.<\/span><\/p>\n

Mitigation<\/b><\/h2>\n

Un-patchable systems still need to be protected. With WannaCry, all affected systems are patchable now\u2014again, thanks to a generous move by Microsoft. With other malware threats, that\u2019s typically not the case.<\/span><\/p>\n

This is where mitigations come into play. These mitigations also buy time for patches to be deployed.<\/span><\/p>\n

WannaCry is a solid example of a new variant that caused significant damage before traditional anti-malware scanning could be implemented. This is where machine learning models and behavioural analysis running on the endpoint is critical.<\/span><\/p>\n

These techniques provide continuous and immediate protection for new threats. In the case of WannaCry, systems with this type of endpoint protection were <\/span>not<\/b> impacted. After deeper analysis by the security community, traditional controls were able to detect and prevent the latest variant of WannaCry from taking root.<\/span><\/p>\n

When in place, strong network controls (like intrusion prevention) were able to block WannaCry from spreading indiscriminately throughout corporate networks. This is another argument for<\/span> microsegmentation<\/span><\/a> within the network.<\/span><\/p>\n

Finally, phishing emails continue to be the most effective method of malware distribution. 79 percent of all ransomware attacks in 2016 started via phishing. Aggressively scanning emails for threats and implementing strong web gateways are a must.<\/span><\/p>\n

Protecting Against The Next Threat<\/b><\/h2>\n

WannaCry is a fast moving threat that\u2019s had a significant real-world impact. In the process, it\u2019s exposed fundamental challenges of real-world cybersecurity.<\/span><\/p>\n

Patching is a critical issue and it needs the entire IT organization working with the rest of the business to be effective. Year after year, the majority of attacks take advantage of patchable vulnerabilities. This means that most cyberattacks are currently <\/span>preventable<\/b>.<\/span><\/p>\n

Rapid patching combined with reasonable security controls for mitigating new and existing threats are the one-two punch your organization needs to reduce its risk of operating in the digital world.<\/span><\/p>\n

While the problem and solutions are technical in nature, getting the work done starts with communications. There\u2019s no better time to start than now.<\/p>\n

What do you think\u00a0about legacy systems and patching? How are you tackling these issues in your organizations? Let me know on Twitter, where I’m @marknca<\/a>.<\/p>\n

[Editors note:<\/strong>\u00a0Again, for the latest WannaCry information as it relates to Trend Micro products, please read this support article<\/a>.]<\/em><\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Mon, 15 May 2017 00:46:55 +0000<\/strong><\/p>\n

\"\"[Editors note: For the latest WannaCry information as it relates to Trend Micro products, please read this support article.]\u00a0 The WannaCry ransomware variant of 12-May-2017 has been engineered to take advantage of the most common security challenges facing large organizations today. Starting with a basic phish, this variant uses a recent vulnerability (CVE-2017-0144\/MS17-010) to spread…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[10422,4503,10439,3765],"class_list":["post-7640","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-current-news","tag-cybercrime","tag-encryption","tag-ransomware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7640","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7640"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7640\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7640"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}