To protect systems from ransomware it really pays to know what’s going on within your infrastructure
When the WannaCry ransomware attack started in mid-May, in the UK much focus was on how the malware attacked and locked up computers in the NHS. Many computers within the NHS were still running XP, an operating system that hasn’t been supported by Microsoft for a good few years now.
The ransomware had targeted vulnerabilities within XP to lock up PCs and display a note demanding a ransom in Bitcoins, with the widespread nature of the problem led to Microsoft making the unusual move of offering a patch for computers running XP, the first in many years. Most media reports talked much about the NHS running out of data XP computers and a general lack of investment in IT by the world’s biggest healthcare system. An organisation that stopped paying Microsoft for XP patch support two years ago, due to “efficiencies” imposed by the Department of Health.
But this isn’t the whole story. And what followed is a timely reminder of why organisations need to know just what is going on within their infrastructure.
Not knowing which systems are really affected
As said, the focus was on XP, but it later transpired that almost all (98 per cent) of affected systems were running Windows 7 – an operating system whose end of expected support is not until 2020 (mainstream support for this operating system ended in 2015, but Microsoft still issued security updates).
However, enterprises around the globe were affected too. Indeed, many other organisations (such as Nissan), also suffered from the same attack, but presumably had newer systems in place than those found in the NHS.
Getting to grips with the problem is greatly helped if you have detailed reports of what systems are running where. That kind of visibility is the first step in securing your infrastructure.
Having the time to patch
The vulnerability that enabled WannaCry to wreak havoc was posted in mid-March, yet two months passed without some firms patching. A problem for many organisations (including the NHS) are that they have developed proprietary software that sits on top of XP and other outdated operating systems. Upgrading to Windows 10 would mean unpicking those apps and systems – it’s time consuming, perhaps up to 100 days can be lost testing third party apps at scale.
With a clear Software Asset Management (SAM) strategy in place, organisations have earlier visibility of such problems and this can allow a little more time to have solutions in place to fix or mitigate such proprietary software. At worst, knowing of such software through SAM discovery can allow organisations to quarantine systems on a closed network as a safety stopgap measure until updates take place.
Unlicensed systems download no patches
Another danger for organisations is the problem of unlicensed software. Not only is this a problem when an audit crops up and a vendor imposes fines for unauthorised installations – the same vendors may also prevent such software from receiving updates to those installations.
According to the Business Software Association 2015 rates of unlicensed software installation in the UK were at 22 per cent. Even in very regulated industries unlicensed use was surprisingly high. The survey found the worldwide rate is 25 percent — a full quarter — for the banking, insurance, and securities industries. Nearly half of CIOs identified security threats from malware as a major threat posed by unlicensed software, according to the research.
Much of this unlicensed software never gets updated as businesses don’t want to get “caught out” by vendors, something that leaves them wide open to malware infection by hackers.
While a software asset management system won’t actively sniff out security vulnerabilities, finding unlicensed software in the enterprise is a good indication that it may also be unpatched and vulnerable. This sort of intelligence is extremely valuable to an enterprise’s IT security team who can then use that data to target the potentially most vulnerable software in the infrastructure and remediate. This can significantly reduce the window between knowing of a flaw and patching it.
Avoiding shelfware to avoid ransomware
All too often organisations do have the correct licences to upgrade systems to the latest operating system and applications but for some reason do not. Knowing, through a software asset management system, where you have out-of-date software can allow IT managers to partially block access to the network from vulnerable machines until steps are taken to update them. This approach means that companies can avoid having shelfware and by doing so can also avoid ransomware affecting those PCs.
SAM and Security working together
Deploying SAM strategically alongside a software vulnerability manager allows the IT security team to work with the asset management team and narrow the gap between disclosure and remediation. Indeed, such tools can help in discovering, tracking and fixing flawed applications before they lead to an expensive hack.