By now, WannaCry is a household name. The ransomware that shocked the world on May 12 has got its own memes and its own Wikipedia page. Soon enough it might even get its own reality TV show. The attack hit hospitals, car manufacturers, airlines, government agencies and more in a matter of hours. In some hospitals in the UK, it even hit their blood storage facilities and internet-connected surgical equipment (not to mention their entire databases, cutting off access to urgently needed, potentially life-altering medical records).
The scariest part about WannaCry? No, it wasn’t the depth and breadth with which it spread in a matter of mere hours. It wasn’t the ransom fee which was thankfully a relatively modest, at $300 in Bitcoins. It certainly wasn’t the payout, which all told, has thus far racked up to about $50,000, a paltry sum for the racket at hand.
No, the scariest part is that getting hit with WannaCry was entirely preventable. A derivative of EternalBlue, the exploit stolen by the Shadow Brokers from the NSA’s treasure trove of exploits, the attack was only successful at infiltrating systems running depreciated Windows OS, including Windows 8, 7 and XP.
When Microsoft released Windows 10 in 2015, they announced that support for XP had officially ended and since then, support for Windows 7 and 8 is being phased out gradually. As operating systems get phased out, they inherently become less secure because when vulnerabilities are found, their “fixes”, or patches, are generally deployed for the currently supported OS; the older operating systems are less of a priority.
Now, two years after the release of Windows 10, 7 percent of Windows users are still using XP, 6.9 percent use Windows 8 and a shocking 48 percent are still using Windows 7.
Though Windows 7 and 8 users still receive certain security patches, Microsoft has made it blazingly clear that they really, really want everyone to switch over to Windows 10 (for advertising purposes and to gain more control over user’s information). This means that more that half of all Windows users are essentially sitting ducks when it comes to many of the worst exploits out there.
WannaCry no more? It’s all up to you
The question here really is this: Why don’t people patch and upgrade their systems? When it comes to not upgrading, say from one OS to the newer one, it’s often because people are comfortable with the operating system they know and love; they don’t see any reason to change, and considering that there is generally a built-in support “grace period” as was displayed with Windows 7 and 8, many people just aren’t feeling the fire. Moreover, many users had, and continue to have, very valid privacy concerns regarding Windows 10, compelling them to hold out with their older versions for as long as they possibly can.
The issue of not upgrading is even more prevalent in enterprises; many businesses depend on custom-built applications that can only run on the specific OS they were developed for. Moving to a new operating system may mean losing critical functionalities and even when large enterprises do decide to upgrade, the rollout process can take months and months; this is a headache that many businesses would just rather not have. Perhaps one of these factors was the reason that the UK’s NHS chose to stick with Windows XP, leaving it vulnerable to WannaCry’s clutches.
But now the other question: Why don’t people apply available security patches?
The failure to patch really comes down to two simple facts: Most people don’t understand the importance of patching and they don’t know how to do it. Think about it this way; One sunny day you’re in the middle of looking for a recipe or typing up a report. Suddenly, a notice appears telling you that there is an available security patch for some vulnerability you’ve never heard of and don’t really feel like contemplating. You’re in your “zone” so you just close the dialog box.
If you understood that what was presented to you was a golden ticket out of WannaCry or some other shocking exploit, chances are you would have paid a bit more attention. And because there are just so many vulnerabilities out there, the amount of patches released daily (15 on an average day, in case you were wondering) can be overwhelming, further encouraging users to “X” them out. This “patch fatigue” leaves users wide open to the very worst of what’s out there.
Another startling fact; even when users do apply patches, it’s usually long after the patch has been deployed. According to that stats, 25 percent of users apply patches well after the first month they were released and another 25 percent will never apply them at all. And according to the 2016 Verizon Data Breach Report, most exploits in that year were based on vulnerabilities that were found and had patches deployed in 2007 – meaning that people were constantly getting hit with vulnerabilities whose “fixes” were released almost 10 years prior.
Fixing the “fixes” problem
Clearly, people have a major problem when it comes to implementing one of the most effective methods there is to beat malware, ransomware and a whole lot of other nasties. The best way to solve the problem? Education regarding the importance of patching. Here are some tips to help you and your people, regardless if that’s your employees, co-workers or your spouse and kids, become more patch-aware and therefore, better secured.
- Your system should already be set to automatically accept updates and patches. This is the default in Windows 10 – If you have done anything to change this setting, undo it now.
- In Windows 7, click “start” and in the search box type “Windows Update” – choose that option from the list of programs. Then from the left pane choose “Change Settings” – you’ll see a few options there. Go to “Recommended Updates” and select “Install Updates Automatically”.
- Start reading up about the importance of patching. There are a lot of great resources to learn about how to and when to apply patches. Share this information with anyone whom you share a network.
- Apply all patches as soon as they are released.
- Get rid of software you don’t use – these programs need patching too and when left unpatched, they expand your risk to vulnerabilities.
Sure, it may seem like ransomware is unavoidable – but the right know-how puts you in the driver’s seat, allowing you to control what your devices are exposed to.