There aren’t many infosec pros who would call last spring’s frantic alerts about the global spread of WannaCry ransomware a good thing, but – in hindsight — that’s how David Boyle, manager of IT infrastructure operations at the city of Guelph, Ont., describes it.
That’s because the city and its 1,300 Windows 7 and XP computers narrowly escaped being frozen by the crippling malware when – thanks to the warning – it realized none of the machines had been patched for any vulnerability for months.
Looking back, “it was a little bit of a wakeup call,” Boyle said in an interview Tuesday after he described the crisis at the annual convention of the Ontario branch of the Municipal Information Systems Association (MISA) in Toronto.
Asked how he felt at the time about learning of what he admits was “a potential catastrophic issue,” Boyle paused for a long time and chose his words carefully.
“I felt like this was a good opportunity to complete more than just the immediate patch required. We dovetailed this potential catastrophic issue into a communication with our IT governance committee and kicked off a number of conversations about cyber security within our organization.”
“In the end it was a blessing in disguise.”
Guelph is about 100 km west of Toronto, with a population of about 120,000.
WannaCry (or WannaCrypt) is ransomware that has been weaponized for spreading with the EternalBlue worm, a tool created by the U.S. National Security Administration that was leaked by a group called The Shadow Brokers in April.
It targets all Windows versions prior to Win10 that were not patched for MS-17-010, which Microsoft released in March.
Guelph had upgraded the majority of its computers to Win7, but in the spring still had 32 PCs running Windows XP because the newer OS couldn’t handle a legacy application (and one of Boyle’s laptops was one of them).
Boyle has an infrastructure team of five, (not including service desk staff and specialists who look after corporate applications). One was tasked to make sure desktops and servers are patched.
As he told the conference, when his security specialist and a security vendor, RootCellar Technologies of nearby Kitchener, Ont., which supplies the IT department’s risk management solution. let him know about the WannaCry outbreak, that he discovered the mess.
“We ended up scanning our network and absolutely none of our machines were patched for this.” Some of the machines hadn’t been patched in at least six and perhaps as long as 12 months. “Some were missing well over a thousand patches,” he said.
In the interview he blamed a licencing problem with the patch management software, but also that the patching “was neglected” by a staffer.
“We had had the team working with RootCellar scanning the network, patching, scanning the network again and patching. The problem is we had laptop users who were on vacation. Or they shut down their PCs and then turned them on in a couple of days.” The effort took an entire weekend.
“We’re still getting the odd notification [from RootCellar] that another [unpatched] machine is booting up,” Boyle said.
The vendor’s solution identifies where the problem machine is.
Among the lessons he’d pass on to other infosec pros is “patching is the cheapest form of security we can do” for desktops and servers.
“This has caused some issues (but) if a critical security patch comes out we push it out immediately during the day or night.” As soon as a PC comes online it is patched. “I know its disruptive to business but it will be more disruptive if it is compromised. Patching has become a main focus for our team.” Corporate applications are managed by a separate team responsible to lines of business, and they have their strategy, “but we’ve communicated the danager in not reviewing your apps, firmware and one-off software.”
The incident has also put him on the road to convincing the city to disabling USB ports on all city-owned devices, Boyle added.
With Boyle on the presentation was RootCellar’s Steve McGeown, senior vice-president of product management, who warned the conference not to get complacent about ransomware.
Criminals like ransomware because they don’t have to worry about network reconnaissance or exfiltrating data. In fact, they don’t its automated so its easy, encryption is ‘a big red light’ to the attacker, no exfiltration for attacker to worry about looking for data valuable to sell. All they need is a victim who thinks their data is valuable.
“Do not for one moment think that you’re a small county in Ontario and will not be hit,” he said, because attackers use automated bots searching for vulnerable machines.
