Recently, a new version of NRSMiner was found actively spreading malware in Asia by either updating existing NRSMiner infections or spreading to new systems using the EternalBlue exploit. EternalBlue is the exploit that was stolen by the Shadow Brokers, leaked to the public, and responsible for the WannaCry and NotPetya outbreaks that crippled businesses in 2017. Today, nearly two years later, it’s still being used to spread malware to systems that have failed to issue patches.
Total losses resulting from WannaCry alone are estimated as high as $4 billion, and ransomware remains a prevalent threat. Patching challenges have often been at fault as more than 57% of successful breaches can be linked, at some level, to unpatched systems. Unfortunately, some existing risk and compliance solutions that organizations use to address endpoint management rely on slow and incomplete legacy architectures. This often makes it difficult and time intensive to see and locate unpatched or noncompliant endpoints. And with successful patch compliance sometimes taking some organizations as long as 90 days to achieve even 80% completeness, it’s clear patching is a source of many disconnects. IT teams need to be able to act with speed and confidence. Implementing a low touch, safe, and effective patching strategy will help you reduce time installing security patches.
Although patching combines a high risk of failure with a low chance of getting accolades for doing it right, it should not be regarded as an IT chore. Rather, it should be regarded as a means to remain resilient against disruptions. Businesses can no longer afford to overlook the scale of the threats they face. It is essential to align security, risk, and operations teams to improve visibility and operate with speed. Unifying teams and processes can also help businesses be agile and effective in the face of constant growth and change.
That’s why a resilient organization can depend on its people, processes and technology to quickly adapt to cyberattacks, outages and other forms of disruption. Unfortunately, our research shows that over 80% of CIOs and CISOs have admitted to holding off on crucial updates due to concerns about the impact it might have on business operations. Given that global cyber-attacks such as WannaCry were catalyzed by poor security hygiene, organizations need to ensure that they can confidently maintain accurate real-time endpoint visibility to protect critical assets, monitor impact, and recover from the unexpected.
To protect against future threats, here are five steps organizations can take now, to avoid being caught in the next attack:
- Assess your organizational obstacles. Are your security and IT operations teams working in tandem from a single, actionable data set? If not, where are the areas of friction and how can these be addressed?
- Know your environment. If you are asked how many total endpoints -- patched or otherwise -- are on your network, can you answer accurately? Will your answer be based on the current state of your dynamic environment, or on information you gathered a week ago?
- Eliminate fragmentation. The fragmentation of point solutions within IT security and operations teams has fundamentally broken many organizations, created by the implementation of a wide range of tools that are impossible to integrate. Make your organization more secure by unifying endpoint security functions to reduce the likelihood of a breach and enable rapid response to halt attacks quickly.
- Declutter your infrastructure: One of the most cited issues throughout the WannaCry incident was the challenge of updating operating systems in an environment laden with legacy apps. If a business is running a critical application which requires keeping an outdated operating system on life support, it’s time to rethink.
- Educate your employees: By various estimates, up to 83% of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment, or visits a compromised website. Investing in ongoing training for employees to protect against phishing attacks should be your first line of defense.
A major security incident at the scale of WannaCry or NotPetya is one of the few events that can irrevocably destabilize a business. As organizations look to build a strong security culture in support of a resilient business, it is crucial that IT operations and security rally around a common set of actionable data for true visibility and control over all of their computing devices. This will enable them to prevent, adapt and rapidly respond in real-time to any technical disruption or cyber threat.
By Chris Hallenbeck, CISO of Americas at Tanium