The importance of implementing good patch management policies was clearly highlighted by the WannaCry ransomware attacks in May. The ransomware attacks were made possible due to poor patch management policies at hundreds of companies. The attackers leveraged a vulnerability in Windows Server Message Block (SMB) using exploits developed by – and stolen from – the U.S. National Security Agency.
The exploits took advantage of SMB flaws that had, by the time the exploits were made public, been fixed by Microsoft. Fortunately for the individuals behind the attacks, and unfortunately for many companies, the update had not been applied.
In contrast to the majority of ransomware attacks that required some user involvement – clicking a link or opening an infected email attachment – the SMB flaws could be exploited remotely without any user interaction.
WannaCry was not the only malware variant that took advantage of unpatched systems. The NotPetya (ExPetr) attacks the following month also used the same EternalBlue exploit. Again, these attacks required no user involvement. NotPetya was a wiper that was used for sabotage and the damage caused by those attacks was considerable. Entire systems had to be replaced, companies were left unable to operate, and the disruption continued for several weeks after the attacks for many firms. For some companies, the losses from the attacks were in the millions.
These attacks could have easily been prevented with something as simple as applying a single patch – MS17-010. The patch was available for two months prior to the WannaCry attacks. Even patch management policies that required software to be checked once a month would have prevented the attacks. In the case of NotPetya, companies affected had also not reacted to WannaCry, even though there was extensive media coverage of the ransomware attacks and the risk of not patching promptly was clearly highlighted.
The take home message is unaddressed security vulnerabilities will be exploited. Companies can purchase a swathe of expensive security solutions to secure their systems, but companies with poor patch management policies will experience data breaches. It is no longer a case of if a breach will occur, just a matter of when.
Poor Patch Management Policies Cost Insurer More than $5 Million
This month has shown another very good reason for patching promptly. A multi-state action by attorneys general in 32 states has resulted in a settlement with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company. Nationwide has agreed to a $5.5 million settlement to resolve the investigation into its 2012 data breach.
The breach involved the theft of data relating to 1.27 million policy holders and individuals who obtained insurance quotes from the company. In that case, the data theft was possible due to an unaddressed vulnerability in a third-party application. Even though the vulnerability was rated as critical, the insurer did not update the application. The vulnerability remained unaddressed for three years. The update was only applied after data were stolen.
The investigation into the breach was jointly led by Connecticut Attorney General George Jepsen. Announcing the settlement Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”
Unaddressed vulnerabilities will be exploited by cybercriminals. Attacks will result in data theft, hardware damage, law suits filed by breach victims, attorneys general fines and fines by other regulators. These costs can all be avoided with good patch management policies.