The vultures come home to roost

Well, it’s a very exciting day in IT. Or terrifying, depending on your perspective.

Just last week I hosted an educational event that posed the idea you could be fired for not accelerating your migration to Windows 10. That’s just not for no reason – you can’t survive in the new world of patch compliance if you aren’t using the current branch of everything (Windows, tools, applications).

For a little background, today we witnessed a large-scale global ransomware attack, known as Wcry (or WannaCry), targeting an (*ahem*) allegedly nation-state sourced exploit known as Eternalblue. Here are the broad strokes:

  • It is a self-propagating ransomware payload based on the Eternalblue exploit
  • The vulnerability is mitigated by MS17-010 released in March 2017
  • All supported (mainstream or extended) versions of Windows and Windows Server are affected

How this is going to get sysadmins fired is CIO’s finding out the vulnerability was patched in March. You know, like 2 months ago.

What did your April patch compliance report show for MS17-010?

Right now there are only two types of people in this world, let’s see what you should expect based on which one you are.

I’ve been infected. What can I do?

Near-term action:

  • Forget change control exists, and deploy MS17-010 immediately. Everywhere. To everything running Windows. Even remote computers. Even the CEO’s computer.
  • Disable SMBv1 at endpoints
  • Force update of endpoint protection definitions / engine everywhere
  • Take appropriate steps at your network perimeter
  • Restore or re-provision infected endpoints
  • Throw your Windows XP computers into the Sun, or a nearby gorge
  • Double-check your compliance reports and prepare for Monday’s super awesome status meeting

Long-term strategy:

  • Modernize your systems management toolsets
  • Migrate to Windows 10
  • Eat, sleep and implement Critical Security Controls
  • Shorten your patch compliance window to less than 30 days
  • Implement complementary vulnerability management solutions to verify your patch solution’s reported compliance

I don’t know I’ve been infected.

Near-term action:

  • Yes you have. Avoid the CSO, see advice above.

PS – There’s likely nobody that’s not going to be infected. In only a few hours, nearly 100 countries have been affected.

PSS – If you have 100% patch compliance and you can prove it I will buy you a Coke Pepsi.

2 thoughts on “The vultures come home to roost

  1. Terrific post bro, a layered endpoint security strategy is also worthy of mention. Since we know a fair amount about the threat, any decent reputation-based AV engine and IPS technology is going to be another line of defense.

    I might go find an XP box just so I can throw it into the sun.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s