5 tips to stop the next WannaCry

WannaCry the worst malware attack in recent memory spread like wildfire across tens of thousands of unpatched or out-of-date Windows PCs throughout the world, locking computers until and unless a ransom was paid. Indeed, there’s plenty of blame to go around — from Microsoft, for creating such insecure software to begin with, to the NSA, whose leaked cyberspying tools were utilized in the attack. And yes, sites like ours have gotten our share of the blame, too.

1. Separate security updates

Kaspersky Blog - ransomware Credits
Kaspersky Blog – ransomware Credits

Windows Update frequently tries to download a large number of updates and then reboot my PC one or more times — and I don’t always want to let it. If there were a clearer way to say, “automatically install critical security updates and table everything else,” this wouldn’t be a problem. Meanwhile, simple feature updates that have nothing to do with security — Paint 3D, more emojis, whatever — could be installed at the user’s leisure, or during overnight sessions if no apps are otherwise running.

It is possible to set up update preferences in some versions of Windows with a degree of granularity, but it’s not as clear as it should be. And if you follow Microsoft’s recommended settings, you’ll constantly be on the update merry go round. The May 9, 2017 security update for Windows 10 included 18 security updates alone.

2. Updates should be quick and easy to install

When we asked Microsoft about its security in light of WannaCry, here’s what a company spokesperson said:

Those who are running our free antivirus software or have Windows Update enabled are protected. Given the potential impact to customers and their businesses, we have also released updates for Windows XP, Windows 8, and Windows Server 2003. For more information see our Microsoft Security Response Center blog; ‘Customer Guidance for WannaCrypt Attacks‘, and our Microsoft On The Issues blog; that calls for global collective action.

Fair enough. But let’s be honest, a lot of people try to avoid Windows Update because its implementation in the initial version of Windows 10 was pretty awful. Plenty of us had the infuriating experience of Windows rebooting (apparently) spontaneously, resulting in lost or delayed mission-critical work. Microsoft went a long way to addressing that frustration with the Windows 10 Creators Update , which became available just a few weeks ago. It’s on a rolling update schedule, so not everyone who’s eligible has it yet.

3. Make OS upgrades free and available forever

The move from Windows 7 or 8 to Windows 10 was free and relatively painless, while previous Windows generational updates cost consumers money. But, that upgrade was only free for a limited time. A year may seem like a long window to upgrade, but the name of the game is getting everyone (with compatible hardware, at least) on the same platform and minimizing OS fragmentation.

Consider that 21% of iPhones are currently running older versions of that operating system as of February 2017, while by at least one reckoning (as of April 2017) about half of all desktops and laptops were still running Windows 7, 8 and 8.1 — even though the latter were all eligible for free Windows 10 upgrades at some point.

And now, the two suggestions you’ll probably hate:

4. Stop letting people sideload software

The idea of downloading and installing any software package from anywhere on the internet is becoming less of a norm than it used to be. “Locking down” an operating system to only allow pre-certified software is already how iOS works on iPhones and iPads. Chrome OS devices like Chromebooks also limit extra software to in-browser apps.

5. The nuclear option: Take older products offline

It’s a drastic step, but something needs to be done with older PCs that are connected to the internet while running unpatched, out-of-date operating systems. If an owner insists on running “unsupported” legacy systems (I’m looking at you, Windows XP) that are effectively security nightmares waiting to happen, that machine may have be to be either decommissioned or else cut off from the internet. Samsung did a version of this with its fire-prone Galaxy Note 7: After the final die-hard holdouts ignored the recall notice, the company pushed a firmware update that effectively killed the remaining devices.

Obviously, such a bold step would change how we look at hardware ownership — products would effectively have to come with an expiration date. But if Microsoft and other companies can’t guarantee security updates “forever,” the tradeoff may need to be that the device can’t be allowed to go online anymore.

It’s like banning an unvaccinated child from school: You may not want to immunize your kid against a childhood disease, but it’s the responsible thing to do. And because you’re not only putting your child at risk, you’re risking the health of others.

In a post-WannaCry world, it may well be time to apply that model to vulnerable devices.

Read further

Leave a Reply