Eoin Keary, CEO and founder of Edgescan, reviews the state of vulnerability management.
Despite new vulnerabilities being disclosed daily, a report based on tens of thousands global assessment compiled by fullstack vulnerability management provider Edgescan revealed that organisations still aren’t up to scratch when it comes to protecting their digital assets.
The sudden shift to remote working has resulted in a major change to how businesses work and how people connect to their workplaces. As a result of this shift, organisations saw a significant increase in the attack surface they were meant to secure, and a whole new set of security challenges to face. Perhaps unsurprisingly, as people started connecting to their organisation’s network from their personal devices, Edgescan observed an increase of exposed/insecure Remote Desktop Services by 40pc.
With threat actors opportunistically exploiting a global crisis, ransomware also increased. Coupled with phishing attacks, ransomware profit has risen by nearly 50pc in 2020 to circa $20 billion compared to $11.5 billion in 2019 and $8 billion in 2018. But, interestingly, it is still the same old vulnerabilities that are exploited as an entry point. In fact, in 2020, the active exploit toolkits used by cybercriminals are leveraging CVE’s from 2017-2019. The most common CVE discovered in 2020, used by cybercrime actors, was CVE-2019-0708 used by “Bluekeep” variants.
The solution: better patch management
Patch management is essentially the process of detection and deployment of missing patches for a network of computers. It includes a series of processes that are considered the foundation of any information security strategy.
· Vulnerability monitoring: Without vulnerability monitoring, organisations are reduced to wait for a vendor to issue a notification, or worse, to read about a wormable exploit in the news, when it’s usually already too late. Organisations should aim to scan regularly – or better, continuously – their digital assets for new vulnerabilities.
· Patch Analysis: as not all patches are made the same, enterprises should be looking at each upgrade vendors release and ensure it is compatible with their critical systems.
· Patch Planning: as systems may have interdependencies that could be disrupted by a software upgrade, the deployment of software updates needs to be planned carefully. Vulnerabilities should be prioritised according to their risk score, and fixes deployed according to the specifics of each instance. Ideally, there would be a patching policy in place for each system/component, with allocated maintenance windows in which patches can be applied and an established protocol for rollout.
· Testing and Deployment: before a patch is deployed to the entire environment, tests can be conducted to assess the impact the upgrade would have on users, performance, and other systems. This can ensure that there are no unintended issues and should include a plan for a rollback should the patch result to be insecure. Once this is established, patches can be rolled out according to the patching policy.
· Patch auditing and reporting: Fixes should be monitored for incompatibility or performance issues, as well as for failed or pending deployments. Logs should be kept of the time it took to remediate the bug, as those can help identify trends and areas of improvement and inform policy updates.
Mean Time to Remediate
The news isn’t scarce of cautionary tales in patch management. Although not the only entry point through which cybercriminals can compromise an organisation’s environment or steal valuable data, known vulnerabilities are often the reason why threat actors gain access to critical systems.
Why, then, do organisations wait before applying patches for vulnerabilities that are already public, with tried and tested exploits available online for anyone to see? Why don’t they have a system in place to detect vulnerabilities and reduce their window of exposure?
In 2020, it took organisations an average of 50 days to remediate critical risk vulnerabilities for public internet-facing web applications – roughly 34 fewer days than it takes, on average, to patch high-risk ones, but still way too long if we consider that cybercriminals have automated tools that can detect vulnerable systems within seconds. Interestingly, there was no significant variance by organisation size, with larger organisations taking the same time as smaller ones to fix vulnerabilities.
Indeed, the same 20-year-old vulnerability that the Edgescan report has been highlighting for years was discovered still ‘in the wild’ in over 3500 systems across Europe and North America. Originally discovered in 1999, the CVE-1999-0517 vulnerability has CVSS high severity risk score of 7.5 (out of 10) and the potential to cause a serious data breach.
Why not patching immediately?
There are many reasons why organisations don’t patch, some more obvious than others. First of all, if you aren’t in control of a system, you can’t update it. Smaller enterprises often do not have the resources to void a warranty and licensing and take control of patching.
For other organisations the problem is justifying the choice to upgrade a system that is working just fine: the public sector may have quickly caught up with the importance of patching to avoid falling victim of yet the latest ransomware attack, but notoriously struggled to get taxpayers’ money allocated for security updates.
There are, then, the dependencies between systems. Especially with older or more complex infrastructures, there may be legacy components integrated with newer ones. In that case, upgrading one piece of software could compromise the carefully entangled interdependency of systems and impact business operations.
Finally, there is revenue. If business critical systems are the ones that need a patch applied, you can rest assured that there will be a lot of thought behind the decision to go offline for the time required to fix the bug.
Although apparently daunting and expensive, patch management is part of the cyber essentials that every organisation should have in place, and there are a number of options to facilitate the implementation of such a crucial component of a security strategy.
One, especially for organisations with less complicated environments and perhaps lacking the resources to have an internal patch management officer/cybersecurity team, is automation. There is a plethora of tools out there, such as Microsoft’s own Windows Server Update Services or Gravity Storm Software’s Service Pack Manager.
The other solution, which essentially eliminates the problem, is to outsource patch management to a managed security service provider (MSSP). There are countless packages/options to suit the needs of the small to medium enterprise up to the large-scale operations of education services and streaming platforms.
However, whether organisations will decide to take patch management into their own hands or whether they’ll choose to outsource it, the key message remains the importance of acknowledging the essentiality of putting such processes in place. As threats become more sophisticated and as cybercriminals automate their attacks, leaving unnecessary risks unmanaged can be an existential mistake.
