The WannaCry ransomware worming its way through thousands of corporate Windows computers is a sober reminder of the importance of safeguarding software, particularly when patches become available for critical vulnerabilities. And while it's easy to shame affected companies for failing to patch their software, cybersecurity experts say the calculus is much more difficult. Regardless, the experts agree that Wannacry was serious enough that it warranted immediate patching.
Quick recap: Last Friday, hackers unleashed malware that began spreading among computers, shutting them down by encrypting data and then demanding a ransom of $300 to unlock them. This ransomware, built with the EternalBlue Server Message Block worm hackers stolen from the National Security Agency,impacts computers running Windows 7 and Windows XP.
Microsoft issued a security update to stop WannaCry from impacting Windows 7 on March 14. It released a similar patch for Windows XP, which the company ceased supporting in 2014, over the weekend. But WannaCry's spread has been swift, with more than 200,000 computers at FedEx, Renault, the National Health Service (NSA) and other organizations spanning 150 countries falling prey to the ransomware. And WannaCry could signal the beginning of a broader attack as a variant
of the ransomware began impacting computers on Monday.
To patch or not to patch
The news has thrown IT departments into chaos. As CIOs and CISOs scramble to mitigate damage, it's worth exploring the process enterprises use in deciding whether to patch or not.
Mike Viscuso, CTO of Carbon Black.
Mike Viscuso, CTO of cybersecurity firm Carbon Black and a former NSA analyst, says that IT departments teams conduct monthly or quarterly courses of patching and upgrades for dozens or even hundreds of applications they've developed in-house. Prior to rolling out patches, IT departments conduct regression testing to ensure their custom software will still work with the new code.
Troy Hunt, a Microsoft regional director who conducted multiple OS and browser upgrades while working at Pfizer, says one of the most painful and costly parts of patching was ensuring compatibility with existing software.
"The last one I recall was simply an Internet Explorer upgrade and the cost of rectifying nonfunctional web apps within the organization was a seven-figure amount," Hunt wrote on his blog. "Organizations need to be proactive in monitoring for, testing and rolling out these patches. It's not fun, it costs money and it can still break other dependencies, but the alternative is quite possibly ending up like the NHS or even worse."
Sign up for CIO Asia eNewsletters.