In May 2017, WannaCry ransomware hit more than 300,000 computers in 150 countries—including multiple systems at Britain’s NHS, Spanish phone company Telefónica, and German state railways. It spread itself from machine to machine, encrypting hard disks and then demanding ransom to return the data to the owners. Petya followed in June, exploiting the same vulnerability as WannaCry.
Cyberattacks are nothing new, but these two are turning enterprise IT upside down because they were totally preventable. If IT departments used basic security configuration management best practices, neither WannaCry nor Petya would have been able to run amok. Furthermore, with brand image at stake, oversight is being elevated in some cases from the IT department to the board level.
Both WannaCry and Petya exploited a vulnerability that allowed them to spread rapidly from one machine to many others within an organization. WannCry also used a related Windows vulnerability to get onto corporate systems from the open Internet. Microsoft fixed both vulnerabilities on March 14 and classified the update as critical—two months before WannaCry! This was not rocket science; it was a cookie-cutter Windows update.
Organizations are spending more money than ever to defend against a complex, ever-growing universe of cyberthreats, yet are failing to apply OS security patches. Security experts often express frustration that companies aren’t doing “the easy stuff,” the things that are so obvious they’re unsexy and often ignored.
It took these two successive outbreaks to scare businesses enough to upend the way they approach security. Now that they have seen the light, they are moving mountains. Here are the five biggest changes IT departments are adopting.
- Getting Every Endpoint under Management
Endpoints fall out of management, and some never even start there. As companies move facilities, acquire staff and hardware, change technologies, and rewrite policies, many computers are left unmanaged. Some IT pros have been known to set up rogue systems and fail to follow policy when setting up others. These are just a couple examples of the hundreds of ways servers, desktops, laptops and other devices wind up unmanaged.
An unmanaged system is a threat. It may have the wrong antivirus software installed—or none at all. It might have an OS that hasn’t been patched in two years. Cyberattackers often just need to get onto a single unmanaged system to compromise a fleet of managed ones. Companies are now creating initiatives to find the unseen systems and bring them into the light.
2. Accelerating Updates
Policy windows are shortening. In this fast-paced modern era, new versions of Windows 10 come twice a year, and patches to them come constantly. Other operating systems are updated more frequently as well. Server-side and client-side applications are updated and patched much more frequently than that.
Many of these updates need to be applied almost immediately after they are released because they contain security fixes. This is a massive burden on IT shops, so it is no wonder that they fall behind. However, as we saw with WannaCry and Petya, letting updates linger can be costly. Enterprises are now making a Herculean effort to figure out how to keep up with all the updates.
3. Identifying the “Critical Process Chain” and Ensuring All Links Are Running
In the past, many considered it a low priority to look for applications and services that were not running. “If something’s broken, a user will complain.”
It is no longer good enough to make sure all the key software is installed and updated. Of course, security solutions such as antivirus software need to be running, but any software or process that is a part of the critical process chain must actually be running. The critical process chain includes any service, program or application that is part of the series of computer and network events required to detect, prevent or respond to a security threat.
For example, suppose a company is running Microsoft System Center Configuration Manager (ConfigMgr) to manage Windows systems. The ConfigMgr client must be running on every endpoint and connecting to the ConfigMgr server. Then, if action must be taken to respond to a threat or a breach, a response—such as an emergency antivirus fix—can be delivered and applied.
Organizations are now busy making sure that every link in that chain is running at full strength and that any failures are quickly addressed.
4. Reviewing Security Tools
Automation is becoming a bare-bones necessity. Manual security enforcement is impossible with so many endpoints, so many applications to configure, so many security policies to comply with and the need to patch everything constantly.
To this end, enterprises are taking a closer look than ever at security configuration management tools. Some of these just provide visibility into security issues and report problems so administrators can take action. More advanced solutions will find security policy violations, fix them automatically and then report back.
Many organizations have previously allowed different groups and departments to choose different technologies. The trend now is to consolidate platforms as much as possible to achieve greater efficiency, visibility, and security.
5. Making Security Teams and Sys Admins Work Hand-in-Hand
Security is the fastest-growing budget area in IT, and security pros are the new technology rock stars. Traditionally, the security team in a company decided what policies to codify and what actions to take when. The operations team was then left to actually make it happen. This process is slow and cumbersome, and leaves room for turf squabbles and finger pointing. By working more closely together, the security and operations teams can:
- Speed response to threats and outbreaks
- Reduce the time-consuming friction that can result from inter-team communications and approvals
- Get practical strategy and design information from the operations team up front to ensure they develop policies that will actually be followed
WannaCry and Petya revealed to many organizations that the security and endpoint management teams don’t have the luxury of living in silos. They’re on the same boat, and the only way to keep it from sinking is to work together. For that reason, many companies are seeing radically increased cooperation and coordination between these teams.
What’s at Stake
The future of nearly every organization depends on successful cybersecurity. That may sound dramatic, but it’s not an overstatement. Great security can literally make the difference between survival and extinction.
By applying security configuration management best practices, your organization is in a much better position to succeed. IT pros can worry less about the basics and focus more attention on the always-changing task of staying ahead of cyberattackers’ latest ploys. I’m encouraged to see so many companies making these changes because I know how hard it is to shift an enterprise. Hard, but not impossible.
As first published in IT Briefcase.
Bill Bernat, director and technology evangelist at Adaptiva, has worked in the technology industry for over 25 years. Before joining the team at Adaptiva, Bill was the web publisher at OpenText and a technical editor for Penton’s Streaming Media Magazine. He spent many years as a programmer and engineering manager for a variety of organizations including NASA, Union Bank of California, and Banc of America Securities. For more information, please visit www.adaptiva.com and follow the company on LinkedIn, Facebook, and Twitter.