One of the easiest ways to prevent a cybersecurity incident is to ensure that software patches are implemented. Despite this straightforward technical advice, many organizations still fail to routinely and regularly implement software patches. The New York Times recently reported on one of the consequences of that failure when it reported on the City of Baltimore’s three-week long ransomware attack.
According to the Times, a key component of the malware attack is an exploit first developed by the NSA known as EternalBlue. The exploit takes advantage of a now known vulnerability in certain Microsoft software. Hackers released EternalBlue, and other known NSA exploits, to the public in 2017. The NSA warned Microsoft after the release, and Microsoft quickly released a patch.
Fortunately for hackers, many organizations around the world fail to routinely implement patches. Many of the most recent blockbuster malware attacks used the EternalBlue exploit, including the NotPetya and WannaCry malware strains. These attacks compromised public and private organizations across the globe, including critical organizations like hospitals.
This blog has previously discussed the importance of patching. For example, hospitals in the UK were particularly vulnerable to ransomware attacks because they were still running on Window XP, which Microsoft had stopped regularly patching. Before that, this blog discussed how ATMs were vulnerable to “jackpotting” attacks due to outdated software.
According to Verizon’s annual Data Breach Investigations Report, 99% of all vulnerabilities hackers exploit have a patch available. The massive Equifax breach that exposed confidential information of over 140 million could have been stopped with a patch that was available for two months.
Fortunately for chief information security officers (“CISOs”) a patching protocol is relatively easy to implement. Unlike employee training programs or revisions to policies and procedures, a patching protocol requires a relatively small number of individuals to implement. As part of any patching program, organizations need to identify all of the devices that may need regular updating. For organizations that rely heavily on employees to bring their own devices, the CISO may have more work identifying whether devices have access to critical or vulnerable parts of the network, and ensuring those devices are patched.
Patching is an important part of any information security plan. This means routinely implementing patches, and migrating to current versions of software that are still updated. Many organizations that still run outdated software, like Windows XP, undoubtedly do so because of the cost of purchasing and implementing new software. However, organizations concerned about cost should think of Allentown, Pennsylvania. According to the Times report, Allentown spent over $1 million dealing with the consequences of a cyberattack.