The following article is part of our National Cyber Security Awareness Month (NCSAM) Article Series and was written by Seth Arbital, Chief Information Security Officer of Align.
Photo Credit: © turbomotion046 - stock.adobe.com
“The key is for the gentleman, the crook finds a way.” While this is true, we still place strong locks on our doors and valuables, and set alarms. Threat actors are continuously finding ways around the cybersecurity controls that we implement. This is why we must establish versatile and dynamic cybersecurity programs that are able to adapt as threats evolve. While we still need to set alarms and monitor for anomalous events, we also need to lock the cybersecurity doors. One way to begin accomplishing this is through a strong Vulnerability Management Program that incorporates diligent patch management.
We hear security professionals talk about Zero-Day threats, in which vulnerabilities or weaknesses in systems, unbeknownst to the vendor, are exploited by hackers. However, while these risks require proper controls, the most publicized attacks this year, affecting hundreds of millions of people, were due to exploiting known vulnerabilities. As these attacks were not Zero-Day, they were completely preventable.
- Equifax Data Breach – The Equifax breach that exposed over 143 million American’s personal and financial records was due to an exploit of an Apache Struts vulnerability, identified in early March of 2017. A patch was made available shortly thereafter. According to CNN Tech’s Jackie Wattles and Selena Larson, “Equifax admitted it was aware of the security flaw a full two months before the company says hackers first gained accessed to its data.” (CNN Money)
- WannaCry Ransomware – In May 2017, WannaCry Ransomware affected Windows machines worldwide. Microsoft had identified the vulnerability, and released a patch as part of the Microsoft MS10-017 updates in March, two whole months before the exploit spread like wildfire.
- Petya Ransomware – A little over a month after WannaCry, this second ransomware attack was unleashed on the world, also exploiting a vulnerability that was addressed in the Microsoft MS10-017 update.
According to the March 14, 2017 article in eWeek magazine entitled, “Software Patches Could Prevent Most Breaches, Study Finds,” “Approximately 80 percent of companies that had either a breach or a failed audit could have prevented the issue with a software patch or a configuration change, according to a security-automation survey of 318 firms.”
There are many reasons why firms fail to adequately patch their systems, some of which include:
- Rogue systems, or systems that were seemingly decommissioned, remain on the network.
- Organizations do not know that their systems’ patches are not current.
- Organizations do not have the resources to properly test and deploy patches.
- Legacy systems may break if patches are applied, and engineering fears unforeseen business repercussions due to unplanned downtime.
- The business requires 100% uptime and does not allow for Change Management Windows to patch.
The development and implementation of an adequate Vulnerability Management Program, with proper patch management policies and processes, are key to addressing the above challenges. The following are helpful steps towards establishing such a program:
- As with any cybersecurity program component, support from your senior management is key. Involve executive management, and emphasize that the cost of a breach far outweighs the cost of implementing the program.
- Identify business requirements and risks caused by downtime. If the business requires 100% uptime, implementing high availability systems can allow for patching without incurring downtime.
- It is impossible to protect what you do not know. It is therefore imperative to fully inventory an organization’s cybersecurity assets, including anything with an IP address (infrastructure devices, servers, endpoints, appliances, phones, etc.), and applications that run on those assets.
- Implementing a vulnerability scanning solution, that continuously scans the environment, will identify all assets that can be compared with the asset inventory above, and the vulnerabilities of those assets.
- Prioritize patching based on the proportion of the asset risk to the business.
- Implement set Change Management Windows for the purpose of patching.
- Where legacy systems cannot be patched, identify compensating controls to mitigate the risk.
- Being that one of the biggest issues most firms face is time and engineering resources, do not go it alone. Utilize outside expertise to enhance your organization’s current team.
While a crook will find a way, do not make it any easier. Lock your cyber doors and significantly reduce your risk exposure by implementing and maintaining a good Vulnerability Management Program, that includes consistent and prioritized patching.
Come back next Tuesday for our final article in our National Cyber Security Awareness Month (NCSAM) Series!
About the Author
Seth Arbital, Chief Information Security Officer of Align
Seth Arbital draws from his 30 years of experience in IT and 15 years specializing in Information Security as the CISO of Align. Seth has built and managed consulting and engineering teams for boutique, regional and national technology firms. He assists clients in enhancing security by developing strategic security programs with a focus on people, process and technologies. Seth utilizes his expertise with security technologies, architect’s solutions and manages business and regulatory compliance including PCI, HIPAA, GLBA, and SOX. He is certified in CISM, CISSP, ISO 27001 and GDPR, as well as a variety of technical certifications from security vendors. Seth received his Bachelor of Science in Computer and Information Sciences at City University of New York – Brooklyn College.