Prevention is futile: A story that will make you WannaCry…

You’ve reached an archived blog post that may be out of date. Please visit the blog homepage for the most current posts.

WannaCry is a great example how neglecting security patches can have a catastrophic impact on businesses.

Last week’s big cybersecurity story, the “WannaCry” ransomware attack, makes me think of how bothered I feel when I hear the sentence “Prevention is futile”.

The belief that prevention is futile encourages organizations to neglect simple, inexpensive measures that can stop attackers before they get to systems. Instead, they continue to invest on what Verizon once called “super advanced cybertastic APT kryptonite solutions”, which many think are going to save the world. THEY WON’T. Or let me rephrase: there is no silver bullet here. Securing information and systems is a multi-layered discipline and the strength of each layer is directly influenced by the one below. It’s simple: Less prevention means more incidents. More incidents mean more risk of successful breaches. Ask any security analyst and they will tell you they already have too many incidents and cannot cope with all of them.

WannaCry is a great example how neglecting prevention can have a catastrophic impact on businesses. Reports show attacks targeting 100 countries, and confirmed disruption for the National Health Service (NHS) in the UK and the telecom giant, Telefonica in Spain and FedEx in the USA.

While many discuss whether their anti-virus could have stopped the attack, the plain facts are:

  • This attack uses a vulnerability on a component of Windows and Windows Server that was patched by Microsoft two months ago
  • The vulnerability was part of the recent NSA leak, a highly publicized scandal, and not an obscure vulnerability that no one had heard of before
  • Applying the patch would prevent any successful attack

I must say that I would be happy to see affected organizations investigating and reporting openly on the reasons why they fell victims. The entire IT community, and business leaders would highly benefit from it. I’d suggest they started with the simple question:

What were the reasons why the patch wasn’t applied in the first place?

I have my own clues about the reasons why, and I would bet with no fear that the clear majority of the conclusions would point to non-prioritized, non-consistent patching processes to be the cause of such neglection. You may be thinking: “Yeah, but no organization can apply all patches, so something’s gotta give”, and I agree. That’s why patching should be done based on prioritization and consistency. But this is a conversation no one is excited to have. After all, prevention is futile!

Next time you think that there is no reason to pay attention to prevention activities to protect your information and systems, remember that the consequences of a breach that could be avoided by such measures may be a good reason no make you WannaCry.

If you are looking for inspiration to improve your patch management processes, watch John Pescatore from the SANS Institute together with us talking about A New Perspective on Patch Management.