Wannacry or Conficker: How to prevent worms in real life
There is plenty of published info about Wannacry; I am not replicating any here. How can your company avoid being hit? It is simple and it is complicated. First we need to understand why companies don't apply patches:
- They don't know it should be done.
- They feel they are too busy to do it.
- They feel it creates issues, with no obvious benefit.
- They don't do it often enough.
- There are no immediate drawbacks of stopping to patch, eventually it becomes normal not to do it.
- The people responsible to do it move on to new jobs, and the new ones don't get promotions or are rewarded for doing it. Why bother?
Preventing worms is a team effort between the Systems teams and Security teams. Security teams are responsible for monitoring new vulnerabilities and patches, and handing over that information to the System team.
(From Wikipedia): Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since 2003
The Systems team applied patches in periodic batches, for servers and workstations. It is the only reasonable way to do it in a large state. What lazy Security teams do is to forward everything immediately to Systems, and shift the blame to them if the patches are not applied. This is the Cry Wolf approach. We forwarded nothing. We just requested the inclusion in the next batch of security patches with one exception. Remote executable vulnerabilities affecting the most used OS in the bank.
We requested once or twice a year urgent application of patches. As we did not request it often, the Systems team listened to us when we did. When the patch that prevented Conficker came along, we asked for it to be applied immediately. And it was.
Bankia was never affected by Conficker. This did not make the news.
Patching should be done. And it should be boring.
Avoid getting your organization in the news. Find a way to collaborate with your Systems team.