This week’s WannaCry ransomware attacks have, again, made it painfully obvious how important software updates are to organizations. There’s an obvious answer: “STAY UPDATED”. It’s never that simple though. WSUS can help; automating WSUS can help even more. I’m going to get into what WSUS is and how automating it can help, but let’s first take a look at what’s been happening around the world and why…
Source: Intel Malware Int
The attack began last week and has been spreading like a worm virus, installing itself on a Windows machine after a user has been tricked into clicking an email attachment or visiting a link. From there, it takes control of the computer, encrypts files, locks out the user, requests a ransom of around $500 in bitcoin payments and then spreads itself to other computers on the network. All in all, it has tried to hold for ransom almost 300,000 computers in more than 150 countries. Among those include some big names like Britain’s National Health Service, Nissan Motors, FedEx, China National Petroleum, Renault SA, Deutsche Bahn and Hitachi.
The WannaCry screen
All of this could have been prevented with a simple system update. Yes, that little notification popping up in the bottom right-corner of your screen, maybe right now. Clicking that and waiting a few minutes could have saved most of the computers. Most, but not all. The vulnerability used was found in Windows and was patched back in March, but only for currently supported OSes. This left older versions like XP and Server 2003 still vulnerable, but in a surprise security update on Friday, Microsoft issued updates for many of the older iterations.
So, as an organization, what can be done in the future to prevent these types of attacks?
This will happen again, it is inevitable. But there are things we can
do. First, education is extremely important. Yes, there were still a
lot of XP and other unsupported systems left open for preying upon, but
educating employees on recognizing social engineering attacks can
protect companies running even the most vulnerable systems. Teaching
concepts like vishing, pretexting, baiting, whale hunting, phishing,
etc. will help them make smart decisions when it comes to email
attachments, unusual requests or uncertain links.
This will happen again, it is inevitable. But there are things we can do.Parag Gadgil
The next obvious one is the one I mentioned at the beginning of this article. Simply stated: “stay updated”. To the public, this sounds very simple. But anyone in the IT world knows things are never that easy. Sometimes certain updates are incompatible for applications running on the machines, sometimes machines are in the middle of processing important jobs or maybe the machine is only up for certain use cases and getting it online to then get updated requires a bit of free time – free time many of us don’t have. Whatever the reason, Windows has provided a very useful tool for many years, WSUS.
Source: Microsoft TechNet
WSUS, which started life as “Software Update Services”, today stands for “Windows Server Update Services” and has evolved into a very powerful tool in the admin arsenal over the past few years. WSUS gives admin teams the option to push patches or updates to all Windows machines as appropriate in an organization. WSUS allows admins to schedule updates at certain dates/times, like during downtimes or after hours. It also lets them select which updates they want to push, excluding certain updates as needed if there are known capability issues. Overall, WSUS gives admins the ability to see all updates available on any given machine on the network, and pick and choose which machines get which updates and when. To top it off, it will follow each machine through the update process, logging any issues that may arise.
It’s a lot of power. And this is the primary tool Windows administrators will be using to keep machines up to do date and protected from these types of attacks. But it can be even MORE powerful when you consider including WSUS in your automation workflows. A good automation product can integrate with WSUS to do things like tracking updates, picking up logs, recognizing error codes, and kicking off various processes depending on the multiple outcomes. Let me give you some examples. With WSUS automated, you can schedule your updates and move on to your next task. You won’t have to watch WSUS for errors or confirmations, because your automation tool should be able to notify you if things go wrong, or even when they go right. What about updating a machine, or virtual machine, that isn’t constantly up? If WSUS is part of the automation fabric in a company, you could easily set up a quick workflow to check the status of the machine and even bring it up if your system realizes it’s down. Then, you can start the WSUS process for updating. After it’s done, your automation solution can take the machine back down without you having to do more than a click. Finally, let’s talk about processing machines. Connect WSUS to your automation tool and check each sever for critical processes before allowing an update to occur. Simple time loops could be put in to “try again in 30 minutes” if your automation solution realizes processing is occurring. Put a counter on it with a notification, just in case it never wants to stop processing, and this is an easy way to prevent any accidental business interruption. It also will eliminate the need for manual monitoring of machine processes before doing every update.
These types of attacks are scary, no doubt. However, it’s not the money the hackers ask for that scares large organizations, it’s the loss of business continuity and data that is invaluable. Luckily, there are things we can do. Learning social engineering techniques and staying updated is a one-two punch that will reduce risks in any organization. Tools like WSUS and workflow automation solutions make things a lot easier on us administrators, and a lot harder on the hackers.