WannaCry alert a ‘blessing in disguise’ for Ontario city

There aren’t many infosec pros who would call last spring’s frantic alerts about the global spread of WannaCry ransomware a good thing, but – in hindsight — that’s how David Boyle, manager of IT infrastructure operations at the city of Guelph, Ont., describes it.

That’s because the city and its 1,300 Windows 7 and XP computers narrowly escaped being frozen by the crippling malware when – thanks to the warning – it realized none of the machines had been patched for any vulnerability for months.

David Boyle, city of Guelph

Looking back, “it was a little bit of a wakeup call,” Boyle said in an interview Tuesday after he described the crisis at the annual convention of the Ontario branch of the Municipal Information Systems Association (MISA) in Toronto.

Asked how he felt at the time about learning of what he admits was “a potential catastrophic issue,” Boyle paused for a long time and chose his words carefully.

“I felt like this was a good opportunity to complete more than just the immediate patch required. We dovetailed this potential catastrophic issue into a communication with our IT governance committee and kicked off a number of conversations about cyber security within our organization.”

“In the end it was a blessing in disguise.”

Guelph is about 100 km west of Toronto, with a population of about 120,000.

WannaCry (or WannaCrypt) is ransomware that has been weaponized for spreading with the EternalBlue worm, a tool created by the U.S. National Security Administration that was leaked by a group called The Shadow Brokers in April.

It targets all Windows versions prior to Win10 that were not patched for MS-17-010, which Microsoft released in March.
Guelph had upgraded the majority of its computers to Win7, but in the spring still had 32 PCs running Windows XP because the newer OS couldn’t handle a legacy application (and one of Boyle’s laptops was one of them).

Boyle has an infrastructure team of five, (not including service desk staff and specialists who look after corporate applications). One was tasked to make sure desktops and servers are patched.

As he told the conference, when his security specialist and a security vendor, RootCellar Technologies of nearby Kitchener, Ont., which supplies the IT department’s risk management solution. let him know about the WannaCry outbreak, that he discovered the mess.

“We ended up scanning our network and absolutely none of our machines were patched for this.” Some of the machines hadn’t been patched in at least six and perhaps as long as 12 months. “Some were missing well over a thousand patches,” he said.

In the interview he blamed a licencing problem with the patch management software, but also that the patching “was neglected” by a staffer.

“We had had the team working with RootCellar scanning the network, patching, scanning the network again and patching. The problem is we had laptop users who were on vacation. Or they shut down their PCs and then turned them on in a couple of days.” The effort took an entire weekend.

“We’re still getting the odd notification [from RootCellar] that another [unpatched] machine is booting up,” Boyle said.

The vendor’s solution identifies where the problem machine is.

Among the lessons he’d pass on to other infosec pros is “patching is the cheapest form of security we can do” for desktops and servers.

“This has caused some issues (but) if a critical security patch comes out we push it out immediately during the day or night.” As soon as a PC comes online it is patched. “I know its disruptive to business but it will be more disruptive if it is compromised. Patching has become a main focus for our team.” Corporate applications are managed by a separate team responsible to lines of business, and they have their strategy, “but we’ve communicated the danager in not reviewing your apps, firmware and one-off software.”

The incident has also put him on the road to convincing the city to disabling USB ports on all city-owned devices, Boyle added.
With Boyle on the presentation was RootCellar’s Steve McGeown, senior vice-president of product management, who warned the conference not to get complacent about ransomware.

Criminals like ransomware because they don’t have to worry about network reconnaissance or exfiltrating data. In fact, they don’t its automated so its easy, encryption is ‘a big red light’ to the attacker, no exfiltration for attacker to worry about looking for data valuable to sell. All they need is a victim who thinks their data is valuable.

“Do not for one moment think that you’re a small county in Ontario and will not be hit,” he said, because attackers use automated bots searching for vulnerable machines.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now