Skip to main content

Why patch management to protect against ransomware is easier said than done

(Image credit: Image Credit: Datto)

The explosion of mobility, cloud technologies, and the Internet of Things (IoT) have changed the game, expanding the attack surface to create millions of new potential points of entry for cyber criminals. With malware and ransomware attacks on the rise, organisations need to do what they can to reduce threats and increase responsiveness. However, today the average organisation supports more than three devices per employee making it increasingly difficult for IT pros to assess, manage and secure all of these devices, especially when they are moving on and off the network. Security pros grappling with large fleets of diverse mobile devices know it’s a challenge to get real-time insights into an organisation’s entire endpoint security posture.

Today’s reality is the simple maxim that you can’t secure what you can’t see. Enterprises compromise visibility and control when devices move beyond the network perimeter, and blind spots can create vulnerabilities that leave sensitive data exposed. A recent Ponemon study found that off-line or out-of-network endpoints are particularly troublesome to secure, with 63 per cent of IT security pros reporting low confidence in the ability to monitor endpoint devices off the corporate network. In the same study, 53 per cent said malware-infected endpoints have increased in the last 12 months. This emphasises the need for a better way to see and control devices, and protect company data.

The reality of visibility today

The number of connected devices continues to grow rapidly, and we expect to see tens of billions of devices with some measure of networking ability within the next few years. It takes a village to manage all these devices, but the number of trained and capable security professionals within each organisation that are available to actively monitor and manage all of these devices cannot keep up with demand. As a result, visibility into all the devices entering the workplace should be a top area of concern when it comes to data protection.

With the continual growth in malware attacks and the rapid agility of today’s cybercriminal, is it really much of a surprise that organisations still struggle in detecting, responding to and preventing data security incidents? Current security strategies are failing because users can disable security control apps, and systems fall behind on patches or updates, both ultimately leaving corporate networks more exposed to risk and unprepared to respond to threats. Additionally, many organisations react to threats by piling on more security layers, but this strategy does not guarantee better protection. According to the Ponemon report, traditional endpoint security approaches are costing enterprises more than $6 million per year in poor detection, slow response and wasted time. 

The recent WannaCry ransomware attacks, for example, highlighted the magnitude of endpoint blind spots within global enterprises and government organisations. Cyber criminals knew there were hundreds of thousands of unpatched devices. They targeted networks with WannaCry, and it spread like wildfire. If we learn anything from this incident, it is that organisations must be more proactive when it comes to deploying patches, securing data, and responding to attacks when an incident takes place.

It’s clear that endpoint vulnerabilities have changed.  Organisations need to therefore adapt their security provisions if they’re going to stand up to today’s persistent and well-equipped cybercriminals. Even with the latest patches, new vulnerabilities are always being found and exploited. IT teams can better manage that risk by removing blind spots and gaining visibility into all the devices, data, applications, and users on the company network. This increased level of visibility is no longer optional. In today's networks, greater visibility is necessary to support a better view and understanding of the organisation's full risk profile.

Combating ransomware: Tips for proactive action 

While there may not be one single solution for fending off cyberattacks, there are ways to improve an organisation’s security posture. Full visibility of vulnerable vectors and access points allows IT teams to detect and respond to an infection and prevent it from further spread. Email is a primary vector, such as malware-laden phishing emails.  It is imperative to make users aware of phishing risk and ensure that employees can identify potential red flags. For example, courier companies are not going to send an email out of the blue with an urgent tracking update, and neither PayPal nor banks are going to ask customers to ‘confirm information’, such as credit card or Social Security numbers.

Hosting regular training sessions that teach employees about the importance of security is key. The sessions should cover not only how to identify a phishing attack, but why software updates are so important to company security, why public Wi-Fi networks should be avoided, and exactly what to do if they suspect something is wrong. This is especially important in today’s modern work environment in which corporate data can be accessed from any location, at any time including by employees working from multiple endpoints.

Tightening up the following device configuration controls is also critical:

●     Ensure that the .exestrip rule is enabled in PPS; this will stop any .zip/.js or inbound raw executables that may be in emails.
●     Block password-protected compressed files, especially during an outbreak period.
●     URL-based or office-document-based encapsulation should be subject to behavioral analysis if this feature is available on a mail environment.
●     Ensure systems are patched against vulnerabilities described in malware bulletins, which can sharply limit and prevent exploitation.

Sadly, the threat of ransomware will continue to be an increasing concern. As long as people continue to struggle to keep their devices fully-patched and protected, and as long as people continue to open attachments they shouldn’t or click on links they probably shouldn’t, attackers are going to be able to infect machines. Knowing where endpoints are located, understanding the presence and health of endpoint agents, and knowing whether patch management systems are in working order is vital. Organisations must proactively manage emerging threats, implement available patches in a timely manner, and apply a collection compensating controls when greater risk is present or systems cannot be easily maintained.

Richard Henderson, global security strategist, Absolute
Image Credit: Datto

Richard Henderson is global security strategist at Absolute Software where he is responsible for spotting trends, watching industries and creating ideas. He has nearly two decades of experience and involvement in the global hacker community. He is a researcher and regular presenter at conferences, and skilled electronics hacker