It has been a while since I looked up a Microsoft security bulletin. There is no reason to keep up with security bulletins if you are not working in a particular space. The landscape changes pretty quickly, and old information is useless. However, when the Petya Virus struck I wanted to have a look and see why it had hit so hard. What is going on? There seem to be more and more cyber attacks hitting the news. For example the recent attack on the NHS system in the UK that severely compromised their systems.
But why are these attacks happening and why are they being effective? Well reason number one is that apparently there is a worldwide shortage of IT security professionals. Damn, and here’s me writing web pages for a living, when I had more security qualifications than you can shake a stick at.
On a technical level, the reasons are fairly simple. The main attacks are because of unpatched computers and poor password selection. Software patches (in Windows) are Windows updates – updates to files that happen annoying regularly to fix bugs in the software and close security gaps.
So why if it’s that easy, aren’t machines just regularly updated? How did so many companies get compromised?
Well in a corporate environment, it’s not that easy. firstly, if you have hundreds, or even thousands of computers throughout your organisation, you don’t just allow every single PC to access the internet individually for updates. You tend to download updates to to a central server and then get that server to deploy the updates. What this does is allow you to have a single point of access to the outside world. It’s a fairly standard security practise to limit the number of devices that are directly attached to internet. Browsing the web for example is usually done through a thing known as a proxy server. People accessing your corporate websites are incoming and they go through a reverse proxy.
OK, so what? So you just download the patches and schedule the updates and all is good right? Steady on there cowboy. Once again, it’s not that simple. The problem with patches is that they tend to break stuff. Imagine you’re the guy in the IT department that deploys an untested patch to several thousand computers and your key business software breaks. You are a real villain in the eyes of the organisation, aren’t you. You’re pretty much a cyber attacker as well.
What you have to do then is test the patches before release. And once again there is a complicating factor here. No large company in the world has identical machines. For years this has been the bane of desktop support. You generally have software images for each of the different machine types, so that the patch has to be tested on each of the different builds.
Naturally, all of this takes time and manpower, so a shortage of IT security professionals slows things down. One of the reasons given for the NHS attack was a lack of investment in IT by the NHS.
The particular vulnerability that Petya exploits was disclosed by Microsoft in March of this year. Given the way corporate IT works, that is plenty of time for hackers to write an exploit and deploy it, before the cautious and overworked IT staff have managed to deploy every patch.
But what can individuals do to avoid such problems? Well:
- Make sure all updates are installed
- Backup all important files
- Use better passwords
- Make sure you have a good anti virus installed
- Make sure you have a personal firewall running
- Make sure the personal firewall is properly configured.
That should do for a start. And if you want consultation, call me.