For leaders in IT, 2017 has been the year of EternalBlue (the weaponized version of the vulnerability described in MS17-010), whether they know it or not. EternalBlue allowed the trivial exploitation of Microsoft systems allowing an attacker to gain the highest level of system permissions. This sort of vulnerability set the hacking community on fire and allowed ransomware such as Petya, NotPetya and BadRabbit which impacted industry and individuals worldwide. This is not something new. The industry saw the same discovery and exploitation cycle with Conficker (MS08-067) and ShellShock (CVE-2014-6271).
The shift that EternalBlue may have caused within IT leadership is a willingness to forgo the typical patch management process. The deliberate process of researching the vulnerability, identifying impacted systems, developing a backout plan, testing the patches in a lab, requesting a maintenance period to apply patches, validating patches, rinsing and repeating is simply too lengthy to be effective. The new mentality circulating is that organizations are best served by swift adoption of patches rather than a liturgical adherence to a patch management process that leaves them unprotected for days or months. Others will consider this approach reckless. 2018 may be the year that we see a tidal shift towards rapid patch management. The best bellwether for this industry shift will be if or when Microsoft disbands “Patch Tuesdays.” This will be the sign that a major industry leader recommends applying patches as available.
Whether organizations adhere to a deliberate or rapid patch management approach solid disaster recovery and business continuity programs are a must.