By Graeme Zwart, PXP Information Security Compliance Officer
The news is currently dominated by the WannaCry ransomware outbreak which has spread like wildfire across the globe, infecting systems in over 150 countries with devastating consequences to many organisations. The ransomware takes advantage of a vulnerability in Microsoft Windows and has rendered data on hundreds of thousands of systems inaccessible. Now it’s not just loss of data at stake, people’s lives are being endangered too as many NHS trusts and indeed hospitals and other critical organisations across the world have been crippled by the outbreak.
Microsoft released a patch in March 2017 to address this vulnerability, MS17-010, on all supported operating systems, and over the weekend took the unusual step of making the patch available for unsupported operating systems XP and Server 2003.
This incident once again highlights the criticality of a rigorous patching regimen. Leaving systems unpatched for any length of time introduces risk which often cannot be easily quantified. However, by taking the stance that any security patch is automatically elevated to the highest risk level and only delaying the deployment if a proven mitigation can be implemented, is the only sensible approach.The fact that many organisations are leaving systems unpatched for two months and longer and indeed still running unsupported operating systems is deeply disturbing.
Patching can be difficult, and the larger and more distributed your organisation is, the more challenging it can be, but a careful and well planned approach can reduce the risk of deploying patches to an acceptable level. A test environment is essential, make sure you have a test environment that accurately represents all the systems in your live environment and deploy patches to those systems first. In the relatively rare occasions that a vendor’s patch has a negative effect, such issues can be resolved before deploying to live.
Ensure that all live systems have sufficient redundancy and have a patch deployment schedule that allows for the updating of predefined portions of your environment, whilst other systems remain on line. This way if something does go wrong you still have sufficient systems processing to continue normal operations while you resolve the problem.
Automation and knowing what is patched is key to successful patch management. By using an automated system that can deploy patches from a central console, on a schedule of your choosing and having reports to validate that systems are patched will greatly increase the efficiency of your approach.
Finally, with particular reference to ransomware, an offline backup is the most effective safeguard against data loss as if you're unfortunate enough to be a victim of ransomware you can still recover most of your data.
If these measures sound costly, they are, but consider the cost to your business, your customers and your staff and in some cases people’s lives if all your data was permanently lost.
If you'd like to learn about card data security then take a look at our Data Security Myth Buster where we dispel the main myths around PCI DSS in a clear and simple way.
Download our free Data Security Myth Buster >>
Or visit www.pxp-solutions.com/resources