Maksim Kabakou - Fotolia

Security Think Tank: Nine key elements to an effective patching regime

How should organisations address the need to keep software up to date with security patches without it costing too much or being too labour intensive?

WannaCry, or WannaCrypt, was a wakeup call for everyone. While it was clearly a dreadful thing to happen, many cyber experts had been predicting a wide-scale ransomware attack for some time and all research pointed to the NHS being impacted severely. Not targeted, necessarily, but impacted.

When we examine how the infection moved and what it infected, we can see clearly that there are some lessons to be learned, not only about standard IT-serviced systems, but for anything web-enabled unpatched, unpatchable and therefore potentially vulnerable.

X-ray systems and laboratory equipment were infected by the ransomware in the recent outbreak. This equipment was running on outdated operating systems and was unpatchable, but surely this was known to security teams and management – or had they simply accepted the risk as the equipment was still working and they didn’t feel it would be targeted?

As we all know, sometimes the target is almost incidental when there is an outbreak of a worm-like infection – look at Stuxnet and the way that popped up around the world. The impacted systems had not been targeted, they were incidental victims. Of course, from the perspective of the criminals who perpetrated this attack, the more victims the merrier, as the likelihood of a major payday increases. But making assumptions about what might be targeted or leveraged clearly doesn’t work.

Unfortunately, the culture that many organisations currently have is far from the resilient and holistic, risk-based security culture that we actually need to be immersed in. Physical systems and corporate networks alike need protection and this requires a different approach and strategy, driven by the top of an organisation, in order to be fully realised.

Of course, cost puts many organisations off taking a genuine look at where they stand with holistic security. They may not know what the full range of their assets might be – physical, technical or information assets. Patching and software updates may be frequent, possibly expensive and maybe inconvenient. But if we look at what happens when we don’t get on top of this vital area, surely the cost and inconvenience is little by comparison? But how can we manage the process with minimum spend and fuss?

  • Run a realistic asset registry – technical and information assets, complete risk register including non-standard systems such as building management systems or imaging systems, for instance.
  • Triage system for systems and asset sensitivity, criticality, vulnerability and criminal appeal. Remember that sometimes the individual data may not be the target but aggregated with other data, you may find it becomes exponentially more valuable and a new risk to mitigate.
  • Triage for logical application of patches that may require a set of circumstances that may be unlikely to appear, so there is a need to understand the likelihood of vulnerability.
  • Segregate drives or networks to isolate or obscure critical systems and their sensitive data away from less sensitive data. Legacy systems can be air-gapped or segregated onto their own VLAN.
  • Education and awareness. The best way to protect unpatched systems is to educate staff not to do silly things on them, such as downloading freeware, opening phishing emails and other door openers for criminals and other undesirables.
  • Build the cost of management and system maintenance, including patching, into the total cost of ownership models. As part of the outline business case: can the system be managed securely through its lifecycle?
  • Consider using early warning and indicators such as intrusion detection and incursion detection to discover if a system has come under attack.
  • Use good-quality anti-malware that is updated regularly.
  • You need to be able to identify, contain and manage an attack or incursion. Incident management and forensic readiness that has to be regularly tested and rehearsed is a must and this is part of business continuity and contingency planning. So make sure you have a tested plan, a team in place that knows what steps to take and when and that you have drilled possible scenarios in order to be best prepared.

If we take anything away from the whole experience of WannaCry, it must be the need for frank dialogue with colleagues across organisational silos to ensure that all networked systems, regardless of function, are included in our change management regimes and are fully protected. The risk of not doing so should be accepted knowingly – not by avoidance or by reverse engineering the risk acceptance into our appetite because of restricted resources.

Read more on Hackers and cybercrime prevention