The first rule of cyber security is create a complete inventory of the organization’s hardware and software, because you can’t defend what you don’t know is there.
Arguably the second rule is have a rigorous patch management system to update everything in the inventory.
Boeing seems to have violated both after being victimized Wednesday by the WannaCry ransomware cryptoworm. The Seattle Times reported that initially an executive flashed a memo saying the malware was “metastasizing rapidly” in a South Carolina plant. However, later Linda Mills, the head of communications for Boeing Commercial Airplanes, said in a statement that “the vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.”
It is surprising that a company as big as Boeing was caught out by this malware, which began spreading in May 2017 . It could have been stopped by installing a Windows patch from Microsoft released in April. Believed to have been sprung by the Shadow Brokers, Wannacry includes what has been called the EternalBlue exploit apparently found and stolen from the U.S. National Security Agency which leverages a bug in Windows Server Message Block (SMB) protocol. Microsoft released information on the problem on March 14, 2017 along with security bulletin MS17-010, then put out patches in April. The malware spread like a worm by scanning systems linked by a network to any machine it infected.
There was no shortage of publicity when Wannacry began in rapidly replicating itself in May. An estimated 200,000 computers were infected in 150 countries, including the U.K.’s health care system, a Nissan car manufacturing plant in Britain and FedEx.
In December the U.S. declared that North Korea was behind the release of the ransomware.
Apparently Boeing had at least a few computers that hadn’t been patched with the Microsoft fix, released almost a year ago.
While there are automated discovery and patching solutions, they aren’t always perfect. Equifax found that out the hard way after it was stung by an attack that leveraged a known vulnerability in the Apache Struts framework. According to testimony before Congress by the company’s former CEO, Equifax’s security team knew about a warning issued by the US-CERT. Company policy is that patches have to be installed within 48 hours. But, due to “human error” by an unnamed person, the patch wasn’t applied. On top of that a software scan of its systems which should have discovered the patch hadn’t been applied missed it.