Article by John Stephens, Luminant Digital Security
If you pay attention to anything in the news, you may have recently heard about the Microsoft vulnerability code named “PrintNightmare.”
PrintNightmare is a vulnerability in the process on Microsoft systems responsible for printing, and it’s present in nearly every version of Windows. This vulnerability gained a little more news coverage because of its severity and because an exploit – code designed to take advantage of the vulnerability to allow an attacker to hack your computer—was available online before Microsoft issued a patch to fix the issue. This meant the only way to mitigate the risk of having your computer hacked by an attacker targeting this vulnerability was to disable the printing services.
For some organizations, disabling printing might not be a big deal. However, for other organizations, not being able to print means severe disruption, perhaps a complete interruption, of business. It begs the question, is the cure worse than the poison? As I am writing this now, Microsoft has released a patch, so the risk has been reduced (assuming the patch has been applied), and print services can be restored. However, while PrintNightmare may be in the rear-view mirror, this isn’t the first critical vulnerability that posed the dilemma – How does an organization plan and prepare for critical vulnerabilities that could result in ransomware, a data breach, or worse, while still maintaining critical operations?
Unfortunately, this is not a unique dilemma as the pace of vulnerability disclosures have only increased over the years with cyber-threats increasingly posing an existential threat to many organizations. For many organizations ransomware or a breach could put them out of business, so paying attention to cybersecurity is a must. If you are paying attention, security can’t be the only consideration as it has to balance with the operational needs of the organization. But, how do you find that balance? Well, of course, there is no stock answer that’s right for everyone. It’s a matter of balance, which means weighing what the organization needs to survive against what security risks are present. And there’s no way to reduce the risk to zero. Risk will always be present. It is a process of mitigating it to a point where it’s acceptable while still allowing the organization to operate.
To find the balance between security and risk mitigation and operations, it is important to have thought about the subject in advance. This doesn’t mean you need a detailed plan for every conceivable scenario. But it does mean you need to know what your organization needs on a daily basis to operate. If you’re a shipping company that has to print labels for packaging every few minutes, the thought of shutting down all printing is a non-starter, so you’re going to have to bear the risk when a vulnerability that affects the print services like PrintNightmare rolls around. But you don’t have to simply accept the risk in the face of a critical vulnerability. Risk can still be mitigated by having solid IT design and administration, strong cybersecurity, employees who know how to recognize cyber threats, and a strong perimeter to prevent organizational assets from being accessed from the Internet.
For PrintNightmare, having all your printing services behind a firewall is a great start. Another great mitigation is to have your print services on a dedicated host that’s not running your domain or hosting your most critical information. Or better yet, your employees can spot a phishing e-mail so they don’t end up with malware that gives an attacker access to a computer from which they can kick off a ransomware attack. All these things have something in common, and that’s preparation and planning before the vulnerability arises. By planning in advance, you know what systems and services are the most critical, and where your data lives. When the situation arises, with this knowledge you can evaluate the risk to the organization and make an informed decision about whether to shut down certain services or accept the risk. If neither are acceptable wholesale, you need to find a way to balance them.
Sounds easy, right? Okay, so maybe not entirely easy. But with the right help, it can be manageable. It all starts with preparation and planning in advance. By first knowing your organization and what’s important to it—what you need to operate on any given day—you can map the things that need to happen to the systems, services, and data that make it possible. From there you implement security controls to protect them appropriately as best you can based on your resources. If it sounds like I’m speaking a different language, then it’s probably best you enlist help. Seek out a solid cybersecurity guide, such as Luminant Security, who can help you make the necessary plans and implement the required controls. They can help you develop an understanding and plan of how to balance the risks posed by cybersecurity threats and vulnerabilities. This will likely lead to a cybersecurity program that will help secure your organization, and give you the tools to balance the risks and operational needs when the next severe vulnerability comes around.
Instead of a panicked fire drill, a response to such a vulnerability can be measured, orderly, and relatively pain-free. Of course, it does require work in advance, but the next time the news announcer comes on and proclaims another dire cyber threat, instead of worrying and wondering if your organization can weather yet another storm, imagine if you already have a solid plan to evaluate and respond. That doesn’t sound so bad now, right?
If you have questions, concerns or need assistance navigating the cyber-risk landscape, Luminant Security is here to guide you through the darkness. Contact us today or visit our website here for more information.