We recently asked renowned Ransomware Expert Allan Liska for practical patching advice when it comes to preventing ransomware. See his response in this video, and in case you’ve missed it, here’s the transcript:
So let’s talk a little bit about patching. Obviously, unpatched vulnerabilities are a big way for ransomware attackers to get in. But everybody can’t be completely patched all the time. What’s some practical advice for prioritizing patching an environment?
Right. So there are basically three ways that ransomware actors gain initial access. It’s through phishing campaigns, credential reuse attack, and then exploitation. With the exception of the Kaseya ransomware attack, so far ransomware actors have used well-known, exploited, well known vulnerabilities. So they’re not going out and finding new unknown vulnerabilities.
But there’s a diversity in the number of different tools that they’ll exploit, the number of different systems they’ll exploit, and the number of vulnerabilities that they’ll exploit. So we did a count at one point, and just in 2020 and 2021 so far, 47 different vulnerabilities across 18 different technologies that are widely exploited by ransomware groups. That’s really hard to keep track of. And the answer that we always give is, well, you have to patch. Well, in 2020, there were 12,000 vulnerabilities published through the national vulnerability database. That is a full-time job. Now, for a lot of companies that is a full-time job.
You have vulnerability management teams that go, and they find the vulnerabilities, and they push them out to the different teams that need to patch them, and they patch them. But if you’re a small organization, or a medium sized organization, still patching could be a full-time job because of all the vulnerabilities that are out there. And I think to your point, you need to have a better strategy, which is prioritizing those vulnerabilities being exploited by ransomware groups on external facing systems. So if you are running Citrix to your network, ransomware actors love to exploit Citrix. You need to make sure you’re prioritizing patching Citrix. If you have a VPN for remote employees who need to connect into the network, that needs to be prioritized. But you also need to prioritize asset management. So even small organizations may not realize how many of their systems are internet facing.
You may have a vendor who needs to do some management, and so they have a port open that they can connect to that do management of systems. This is really well-known in healthcare, where a lot of healthcare vendors will use remote desktop protocol. And if the hospital or the healthcare provider is not aware that their vendor has these remote desktop protocol servers open to their network, that’s a real problem, and that could leave you potentially vulnerable.
So I highly recommend doing external scans. And there are a lot of free services that will do this, but there are also, if you have a vulnerability management service, they will do that for you. So an external scan of your network, to look for systems that you didn’t know about. And you really, really want to concentrate your limited patching resources on that perimeter for preventing exploitation for that initial access.
Okay. So focusing on the perimeter, and make sure to be using external scans.
Right. That’s absolutely going to help you get started, without having to spend your entire day patching and finding out about new vulnerabilities.
Fantastic. Thanks, Allan.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery