Got MS17-010 deployed? Good, that means you’re immune to the Petya ransomware. I still want you to do something.
Tell your patching team that you’re immune, and they saved the company between $300 and $300 * the number of Windows machines you have. That number will get management’s attention when the time comes for annual reviews, because I’m pretty sure the higher number isn’t going to be $600. When they get good reviews, you make friends. When you have friends on your patching team, your company gets better security.
Isn’t that table stakes? To deploy a patch from March by July? One would think. Back when I pushed patches for a living for the Air Force, I had to have it down within 30 days. The DoD makes patching a priority.
After I moved back to the private sector, I found private industry moves slower. It’s not uncommon for it to take 60-90 days to get it down fully. I estimate I could probably take care of 2,000 systems and still get patches down within 30 days with an acceptable success rate. The Air Force had me patching about 500 systems and wanted a 100% success rate. But some companies have one person take care of tens of thousands of systems.
Companies also go into freezes. If you’re a tax preparation business, I understand if you didn’t want to push MS17-010 in March or April, during tax season. But I’m seeing plenty of non-tax-preparers among the victims.
Microsoft did what it could
Microsoft released the patch MS17-010 a month before the NSA exploits against SMB went public. It took another 30 days after the exploits hit the streets for someone to weaponize them effectively. Now we have another, because people disable automatic updates and because companies don’t get patches down in a timely fashion.
Crooks write ransomware because it works.
The DoD still has breaches, so patching isn’t the end-all for security. But the DoD patches better than private industry does, so when people breach it, they have to use other means. It makes it harder. And all it takes today is to be better at it than most.
Bo Jackson tells a joke about going hunting and wearing his athletic shoes. His buddy asks why he has his those shoes on. In case they find a bear, he says. His buddy says there’s no way Bo Jackson can outrun a bear. And Bo asks who said anything about outrunning a bear? He just has to outrun his buddy.
You don’t have to outrun the bear. You don’t even have to outrun Bo Jackson. Some patching programs move about as fast as that traffic scene at the beginning of Office Space. If your patching program can keep pace with that guy with the walker, you might be OK.
I have a rule about patching now that I’ve seen how three dozen or so different large companies patch. If you think you’re good at it, you’re probably really bad at it. If you think you’re bad, you’re probably average. If you think you’re average, you’re probably better than average, but you might be good.
You know about social engineering, right?
Security folks talk about social engineering a lot. Most of us don’t use it in the workplace for good, though. Give positive reinforcement to your patching team, and when you need a favor, you’ll get it.
I visited a former employer last month to try to sell them security services. One of my new coworkers took me aside. “You have a lot of friends here,” he said. I shrugged and laughed and said they probably like me better now that I’m not asking them to patch stuff. But he’s right. I have friends there because when I worked there, I had their back. I gave them stuff they could put on their reviews to get better bonuses. And I even helped one guy get promoted. When things went wrong, I got on the conference call and let the people yell at me instead of them so they could concentrate on fixing the problem.
And guess what? When I needed a patch deployed, I got my patch deployed.