The consequences of a modern-day cyber attack are potentially devastating for business – just ask the recent victims of NotPetya (also known as GoldenEye).
NotPetya is an advanced ransomware strain that encrypted organisations’ mission critical data in June 2017, and did not return it even in the event of a bitcoin ‘ransom’ being paid. This level of data loss can be business-destroying, so it is essential that organisations do not fall victim in the first place.
Given that threats of this nature often rely on exploiting vulnerabilities in applications, software or devices, a key component of staying safe revolves around effective patch management. A security patch, sometimes referred to as a ‘bug-fix’ is a piece of software designed to update a computer program or its supporting data, removing a design flaw that leaves it vulnerable to attack.
Unpatched software is one of the key enablers of cyber breaches. In the first nine months of 2017, more than 16,000 new vulnerabilities surfaced, an increase of 38% from last year, according to the Vulnerability QuickView Report. On average, most companies fall behind in patching newly discovered vulnerabilities, taking 100-120 days to get it done, if at all, according to Kenna Security. So why such a delay? It’s people, not product.
Making a patch work requires collaboration
Responsibility for efficient patch management lies with people. In order to ensure its effectiveness, therefore, a robust patch management strategy must be put in place. But there is ongoing dispute over which particular department is ultimately responsible for its implementation.
In a recent Gartner report, VP and distinguished analyst Avivah Litan describes the well known, longstanding tug-of-war over patching between IT Operations and IT Security and the logic for disagreement on both sides.
On one hand, IT Operations’ focus is very much on the smooth-running of the business’ IT systems. Consequently, the department is acutely aware that frequent patching brings with it a possibility of hindering business processes, and is likely to prioritise short-term optimal performance of systems over fastidious security updates.
By contrast, IT Security would be extremely reluctant to leave any potential vulnerabilities unpatched. After all, safeguarding the company against external threats is the core of IT Security’s remit, and a proactive approach is by far the safest for the long-term health of the company. The longer the lag time between identifying a vulnerability and patching it, the greater the likelihood that it could be exploited, and systems compromised.
Patching application vulnerabilities is a prerequisite if an organisation wishes to avoid the truly damaging consequences that have befallen companies such as Equifax following a breach; not to mention the now-infamous Wannacry ransomware attacks. With this in mind, it is essential to secure interdepartmental buy-in for patch management initiatives, and ensure they are prioritised accordingly.
Solutions against the breach
It is important to remember that vulnerabilities can be present in solutions of all ages – this is not just an issue affecting new software. For instance, recent examples include a 15-year-old unpatched MacOS vulnerability that could have been triggered any time, yet was undetected by Apple, and, fortunately for Apple, by cyber criminals. Most recently, the ‘Meltdown’ and ‘Spectre’ vulnerabilities discovered in Intel’s microprocessors affect models dating back to at least 2011.
So, how should your organisation react when a vulnerability such as those outlined above is made public? The right technologies and processes should be put in place to ease the pain of patch management and ensure that the vectors for such attacks are closed off. The main step would be to identify gaps and weaknesses in current controls and leverage that understanding to prioritise security programs.
The inexpensive way to success
Patching vulnerabilities is the least costly and quickest way to minimise risk and protect your organisation in the event of a major breach. However, if a company is already infected, it should immediately conduct a thorough audit of potentially affected systems and segment off remote management ports using VPNs and multi-factor authentication. Once this has been completed, the creation and implementation of a patch deployment process can start.
But the safest and most effective strategy is always to prevent a breach before it happens, wherever possible. Implementing a top class AV solution across your entire organisation can detect malware trying to exploit vulnerabilities, preventing it from spreading across the entire user base. In addition, flagging and managing software updates should be automated where possible.
Patch management is the one of the simplest and most effective ways to mitigate cybersecurity risks to your business, but time is of the essence. A breach could happen at any time, so companies that do not act now risk being too late.