Hacker
Cyberattacks like Petya and WannaCry highlight the need for businesses to invest in cybersecurity. typographyimages/Pixabay

Cybersecurity attacks have been a growing concern for businesses of all sizes for years, but the stakes have escalated considerably in the recent months as two widespread attacks hit hundreds of thousands of computers around the world.

WannaCry, a ransomware attack that spread to more than one million machines in 150 countries in May, temporarily halted operations at hospitals, telecommunications companies, car manufacturers and many other organizations.

Just a month later, computer systems around the world once again were compromised when an attack known as Petya infected a tax software company in Ukraine and quickly spread to tens of thousands of machines in 65 countries including Russia, Brazil, Britain, Denmark and the United States.

Read: What Is Petya? Ransomware Attack Hits Computer Systems Across The Globe

Both attacks made use of Windows exploits first discovered and used by the U.S. National Security Agency that were stolen by a hacking collective known as the Shadow Brokers. When those vulnerabilities were made public, bad actors quickly went to work integrating the exploits into their malicious payloads.

Microsoft published a security patch—issued in March after the NSA disclosed the vulnerability —that would have stopped the spread of WannaCry to systems that had been updated.

For individuals, there is little reason not to download the latest security update as soon as it’s made available. For businesses, it’s more complicated than just downloading a patch.

Diana Kelley, the Global Executive Security Advisor at IBM Security, told International Business Times that patching is “really important” but organizations have a number of reasons why they lag behind the average user when it comes to security patches.

Read: Ransomware Attacks: Half Of All Organizations Hit By Ransomware Suffer Multiple Attacks

One of the reasons, she said, is fear that patching a system may result in undermining the certification of a system of voiding its warranty. Kelley conceded that the concern “sounds kind of nuts,” but noted that some industries expose themselves to new risks by downloading updates that haven’t yet been accounted for.

“If you create a piece of software that runs on an operating system and the operating system gets patched, how that piece of software that is running on it may be impacted,” she said. This is a common concern for those working in the medical field and operating medical devices that may not be compatible with a given update.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

Another issue, and one that undoubtedly helped in the spread of WannaCry, is many organizations still operate with legacy operating systems and applications that are no longer supported—and therefore no longer patched—by the companies that produce them.

“We saw this big time in WannaCry, there were a lot of companies out there still running their apps and services on top of Windows XP,” Kelley said. The issue was so pressing that Microsoft issued an emergency patch for machines operating on Windows XP—a rare occurrence such update since the company cut off support for the operating system in 2014.

Kelley said it’s easy to “sit up in an ivory tower and ask, 'who runs XP? That's a sunsetted operating system, get off of it,’” but noted that many companies do so out of necessity.

“When you actually are in line working with these companies and you look at their resources and priorities and what they're able to spend money on and to do, it can be very, very expensive and difficult for that organization to update the legacy application or service,” she said.

A 2017 study conducted by information technology networking firm Spiceworks found 52 percent of businesses are still running at least one instance of Windows XP. The reasons why vary, with nearly half citing lack of time to upgrade and 37 percent blaming budget constraints. Another 31 percent said compatibility issues with current software kept them from updating.

However, the most common reason that IT professionals gave for failing to run a supported operating system is because the current system continues to work as-is.

Though patching may present concerns for some companies, an attack like WannaCry is enough to scare many companies into taking extra steps to secure their systems. When Petya began its spread in June, companies were protected when the malicious software attempted to exploit the EternalBlue vulnerability that allowed WannaCry to infect more than one million machines.

However, simply patching to protect against EternalBlue wasn’t enough to defend against Petya, which evolved to make use of another propagation technique that it could fall back on if it ran into the security patch.

While the understanding of Petya is evolving and points to it not being a ransomware attack like WannaCry but rather a wiper—malware designed to delete files and destroy systems—the attack highlights not only the importance of securing one’s own systems but working with others who have also invested in proper security.

Petya spread to organizations around the world after initially infecting the software supply chain of Ukrainian tax and accounting software maker M.E.Doc. When the compromised tax software MeDoc issued an update, it spread the malicious code to machines of companies that do business in Ukraine.

Kelley called the incident a “really good reminder” to organizations to communicate with any third parties they may work with to understand their security systems and programs to make sure an infection on their end won’t spread.

“It may be that you have a really, really strong security program in your organization but if your suppliers and your partners don't, that could impact you negatively,” she said. “We used to call that reverse Darwinism.”

She advised companies to utilize network segmentation between one’s own system and those of suppliers and other third-party organizations. Such demarcation may allow a company to quickly contain any potential breach rather than allowing it to spread.

While millions of machines were infected in the last two months by Petya and WannaCry, billions more went totally unaffected by the attacks, which may encourage complacency. But avoiding those two widespread attacks doesn’t make any organization immune to a future attack—nor does getting hit once mean it won’t happen again.

“I don't like to spread fear,” Kelley said, “but the reality in today's world with the complexity of our networks and our systems is that, at some point in time, most big organizations are going to have something that they need to deal with."

She explained, “we know the bad guys are out there,” and they will likely continue to come after organizations as long as there is an opportunity to make money or wreak havoc. “We can't eliminate badness in the world but we certainly can be prepared to defend against it," she said.

It’s best for businesses to test their systems as best they can before an attack does the testing for them. Kelley advises creating an intimate response team that can not only set up a plan on how to respond if a system is compromised but can also test such an attack and tweak the plan on the fly if necessary.

“When you're sitting in a room deciding how to respond, it's really easy to write it down, but you have to test that too because what looks good on the whiteboard may not really work in practice,” she said. “If you do the testing of the response, you'll find little tweaks to that whiteboard plan...And if you make those tweaks, when something does happen, everybody is able to hit on all cylinders right away."

Intimate response teams can be scaled based on the size of the organization it’s designed for and just how much the team will have to protect. Regardless the size of the company, the intimate response team can have a big impact. According to an annual study conducted by IBM and the Ponemon Institute on the cost of cyberattacks, having an intimate response team is the most effective tool to keep down the cost of a data breach.

The other precaution that can save organizations tons of money and hassle when attacks like WannaCry and Petya catch them in the crosshairs is maintaining backups. Simple as it sounds, backups act as save points that an organization can safely return to.

“Having the backups ready and available so that you can go back to a known, good snapshot of that system, of the data, that is such a powerful thing to be able to do," Kelley said. She called backups “one of the most powerful tools that companies have in their arsenal."

According to the Annual Ransomware Report conducted by cloud data protection and information management firm Druva, 82 percent of organizations hit by ransomware or other malicious attacks were able to successfully return to standard operations by restoring from a safe backup.

"We're really hoping Petya and WannaCry make organizations understand how important backups can be and why in the long run, investing in really strong backup systems is probably going to save them money, time and headaches," Kelley said.

Newsweek’s Structure Security conference on Sept. 26-27 in San Francisco will highlight the best practices that security professionals are using to protect some of the world's largest companies and institutions, join us for two days of talks, workshops and networking sessions with key industry players - register now.