Patch me if you can
- Viruses or malware intrusions have ever wider-reaching consequences for companies and public organisations.
- Most of these infections can be avoided with regular updating of software and operating systems.
As the Windows operating system starts up, a flashing image of a skull appears on the screen, together with a demand for $300 in ransom. This is not a scene from the latest spy movie, but rather an event experienced by thousands who fell prey to the malware GoldenEye (also called NotPetya) in June 2017. A few weeks earlier, another ransomware known as WannaCry infected 300,000 computers in 150 countries. The victims were well-known entities, including the UK’s public-health system, Germany’s railways, Spain’s Telefónica and the US’s FedEx. A complex international investigation will be necessary to identify the culprits.
These cyber-attacks all have one thing in common: infection could have been avoided had more attention been paid to regular updating of operating systems. In other words, installing the latest security patches from OS and software providers, which contain additional lines of computer code to protect against flaws in their products. GoldenEye and WannaCry, for instance, exploit a feature in Windows called EternalBlue, a bug fixed by a Microsoft update in March 2017. “GoldenEye acts as a worm,” explains Bogdan Botezatu, an expert in security for the Romanian company Bitdefender. “It is implanted through EternalBlue, which was not patched on many computers, and reproduced using a powerful propagation medium. The administrative tool lets malware hop from one computer connected to the internet to another, without any human help needed.” The attack mechanism is thus much more complex than an ordinary e-mail attachment.
The repercussions of these malware intrusions can be serious. In the case of GoldenEye, it was impossible to take public transport in Ukraine, enter the airport or withdraw money for an entire day. Some gas and heating was also cut-off for three to four days. In the event of data theft, the consequences can be even wider-reaching for companies and public organisations.
One hundred days
If these threats are known and increasingly present, why are companies and public entities not installing patches? “Patch management is often not handled internally,” explains Maxine Holt, main analyst for the Information Security Forum, an independent organisation based in London. “Too often institutions choose to allocate financial and human resources to other areas. A hospital will usually prefer to purchase a new machine rather than patch and conduct IT security evaluations, as this satisfies a more immediate interest.” Another problem is that some structures avoid computer-system downtime to install updates, as machines are running 24/7.
It takes about 100 days for developers to deploy a patch and for a company to apply it, according to Bitdefender. “Many companies have developed tailored applications internally to enable their products and services to work with earlier generations of operating systems,” Holt adds. “Maintaining systems on an earlier version saves money, as reconstructing, adapting, and testing applications could cost a lot. Even when the threat arrives, the IT infrastructure is not yet ready for the patch.”
Mass digitalisation also makes it more difficult to communicate when updates are ready to be installed. “Although updating a computer is fairly easy – a pop-up lets you know that updates need to be installed – this task is more difficult with a connected object which is part of an Internet-of-Things infrastructure,” explains Christian W. Probst, head of the cybersecurity division of the Technical University of Denmark. “How will a system notify me that a patch needs to be installed for my refrigerator and my connected radiator? I will likely have forgotten that the interface to update is on my smartphone or laptop.”
Christian W. Probst, head of the cybersecurity division of the Technical University of Denmark
“We should do more inspections for software.”
Task force creation
According to Holt, the only solution is widespread introduction of teams dedicated to patch management. “Patch management must become better known within organisations,” she says. “Responsibility must be shared between the IT department, which will fix bugs and functional problems, and the security department, which will ensure that patches become a priority and that structural problems are resolved.”
Botezatu also believes that all organisations should have teams dedicated to IT, which validate updates to their applications. “They must conduct risk-assessment tests to see if their applications will resist malware,” he says. “It is important not to remain stuck in the past when it comes to computer tools.”
Another more radical measure to decrease malware vulnerability is to disconnect vital systems from the internet. “Even with patches, there is no such thing as zero risk. Outside of the network, infection risk will be minimal,” acknowledged Probst. “End users should take a step back and ask if it’s really useful or wise to have access to a database from their smartphones.”
Governments and aviation
To prevent a new wave of WannaCry-type threats, various authorities can now pressure private and public entities to install patches. The first of these is the software publisher, who releases the patch. “The publisher communicates about the patch and how to properly deploy it,” says a Bitdefender employee. Security-service providers must then urge the installation of these patches and perform tests of the protection’s effectiveness. “Following these attack simulations, vulnerabilities are detected and organisations are informed.”
Governments can also sound the alarm. In 2013, the EU created the European Cybercrime Centre (EC3) in The Hague. Together with public and private partners, it has also created the “No More Ransomware” platform, a website that offers prevention advice, decryption tools and a form for reporting violations.
“The EC3 plays an important role in organizing the exchange of knowledge, insights, and information among member states and Europol,” says Probst. This European initiative constitutes an interface among different players and includes all aspects of online cybercrime: online fraud, sexual exploitation of children and cybercrime. “It has had significant impact on operations in these areas, so it is clearly a success.”
Even so, additional European and international regulations will be necessary to force software developers and organisations which retain data to maintain up-to-date and secure systems. “Protection is essential in many fields,” says Probst. “Take aviation: manufacturers must be certified to build planes. Aircraft must be verified before sale to an airline company. Following this, they are inspected frequently and there is a safety inspection before every flight. It is thanks to these precautions that relatively few aeroplane accidents occur. We should implement a similar approach for software.”
Encyclopaedia of cybercrimes
Short for malicious software, it is any source code used to attack a computer. Malware includes computer viruses, worms, Trojan horses, ransomware, spyware and other intrusive software.
A form of malware that threatens to block access to, or publish, data unless a ransom is paid. Some sophisticated ransomware encrypts the victim’s files, making them inaccessible.
A form of malware which covertly monitors its victims. Some forms of spyware can record keystrokes, thereby obtaining victims’ passwords.
Self-sustaining programs which replicate throughout a network. By taking advantage of vulnerabilities, worms are used to access systems. They reproduce themselves, and can be designed to collect private data. This is in contrast to viruses, which require the spreading of an infected host file.
Programs that attach themselves to other programs or host files in order to spread. By hiding in computer systems memories, viruses can attach themselves to whichever file is necessary to execute their code.
Malicious software used to hack into a computer by misleading users of its true intent. A Trojan normally operates in the background, unbeknownst to the victim, where it carries out its intrusive tasks.
Attempting to crack a password by trying all character combinations until the correct one is Found.
Denial-of-service (DOS) attack
Sending large volumes of data to a network, resulting in system overload and interruption of service.