Despite warnings and international cyber-incidents, too many organisations still aren’t bothering to apply security patches, a report has warned.
Some organizations are still failing to take basic cybersecurity precautions by not applying critical patches and leaving themselves open to cyberattacks — even when updates have been available for months.
This poor approach to security and patch management is detailed in Fortinet’s Threat Landscape Report for Q2 2017. It highlights network and device hygiene as one of the most neglected areas of cybersecurity today — a failing that, if rectified, could go a long way to preventing future attacks.
The researchers behind the report use the global spread of WannaCry ransomware, and the subsequent Petya outbreak a month later, to demonstrate the extent to which poor patching processes are commonplace.
WannaCry infected over 300,000 computers around the globe in May, using a leaked NSA exploit for a vulnerability in Windows’ Server Message Block (SMB) v1 networking protocol, which allowed the malware to spread laterally across networks.
Microsoft released a patch to protect systems against the exploit two months prior to the WannaCry attack, then later released an emergency patch to protect out-of-support systems against the ransomware when the outbreak occurred.
But, despite the impact of WannaCry, a month later it seems that many organizations hadn’t bothered to apply the correct patches, as Petya used the same exploit to spread itself across infected networks. It claimed a number of high-profile victims — many of which are still dealing with the post-infection fallout.
“Something we don’t talk about often enough is the opportunity everyone has to limit bad consequences by employing consistent and effective cybersecurity hygiene,” said Phil Quade, chief information security officer at Fortinet.
“Cybercriminals aren’t breaking into systems using new zero day attacks, they are primarily exploiting already discovered vulnerabilities.”
Researchers say lessons must be learned and that if security patches are released then they need to be applied.
“Network and device hygiene are perhaps the most neglected elements of security today. WannaCry targeted vulnerabilities that Microsoft patched two months previous. In spite of its worldwide impact, NotPetya successfully exploited the exact same vulnerability a month later,” said the report.
Unfortunately, researchers are unconvinced that lessons will be heeded and, despite the impact of WannaCry and Petya, predict there will still be organizations falling victim to future ransomware worm attacks because they fail to apply patches.
“We’d like to be able to say Q2 closed the curtain on ransomware worms, but we’ve seen this scene reenacted too many times for that. The lesson? Act fast after critical patch releases and heed related intel about exploit life cycles,” said the report.
Months on from the WannaCry ransomware outbreak, there are still organizations which have found themselves infected by the malware. Even in August, LG Electronics was forced to take systems offline for two days after self-service kiosks were found to be infected with WannaCry.
While the South Korean company now says it has applied the relevant security patches, the wording of the statement suggests critical updates hadn’t been completed previously.
Other large organizations, including Honda, also fell victim to WannaCry over a month on from the initial outbreak.