According to research, 60% of organisations that experienced data breaches in the last two years attributed the breach to an unpatched vulnerability – so it has never been more necessary to stress the importance of good patch management. Chris Goettl, Director of Security Solutions at Ivanti, discusses why patching needs to be a core part of any business’ security strategy.
Vulnerabilities lie at the heart of a cybercrime economy said to be worth as much as US$1.5 trillion each year. They are exploited by nation states and financially motivated cybercriminals alike to steal data, deliver ransomware, monetise crypto-mining and more.
But in many organisations, the mechanism to fix these bugs and mitigate related cyber-risk is siloed, reactive and ad-hoc. As GDPR regulators finally signal the end of the honeymoon period with multi-million pound penalties, it’s more important than ever that CISOs get this crucial part of their security strategy right.
Patching can be hard to get right, but the tools and expertise are out there to run effective, automated, risk-based programmes that will create a great foundation on which to build layered best practice security.
Why patches matter
Vulnerabilities are a natural consequence of human error. Mistakes will always happen, especially in highly complex, man-made systems like computer programs. In fact, most current operating systems contain millions of lines of code, while Google’s code base boasts more than two billion lines in nine million unique source files. That is a lot of opportunity for things to go wrong. The impact of these flaws varies, but can include data breaches, ransomware, banking trojans, cryptojacking, cyberespionage and IP theft.
The amazing thing for many working in the industry is that organisations still come unstuck with patches, despite the devastating global impact of the 2017 WannaCry ransomware worm. Capitalising on unpatched Windows SMB systems, this state-sponsored threat spread quickly around the world, locking machines as it went. Most notably, it affected more than a third of NHS trusts, leading to the cancellation of an estimated 19,000 appointments and operations.
Beyond the tipping point
This should have represented a tipping point in how firms prioritise effective patching. Yet challenges still exist which are proving a stubborn obstacle for adoption of a more strategic approach to patch management. The first revolves around the sheer number of vulnerabilities being disclosed today. Last year alone, somewhere in the region of 22,000 were publicised, thanks to the work of numerous vendor and third-party bug bounty programmes, independent research and the relentless activity of the black hat community.
Many organisations have no standardised way to apply these patches as they affect products across a range of environments from virtual and cloud-based systems to networking equipment, web applications, processors, Internet of Things (IoT) endpoints, mobile devices and operational technology (OT).
In fact, the number of flaws found in SCADA equipment is said to have doubled from 2017 figures. What’s more, the number of potentially vulnerable enterprise endpoints is increasing all the time, as Digital Transformation efforts take hold to drive business growth on the back of cloud, mobile and IoT systems. Shadow IT risks are high as staff open new cloud accounts, or buy unvetted IoT kit and hook it up to the corporate Wi-Fi.
Some organisations may even be running legacy operating systems for which no new patches are available, because of compatibility issues with mission critical apps or long replacement cycles for OT hardware. All of this must be managed by a dwindling pool of IT security staff. EMEA shortages of skilled professionals have now reached 142,000 positions.
The next WannaCry
The bad news is that, while the WannaCry threat has largely been contained, something much worse could be around the corner. BlueKeep (CVE-2019-0708) is another wormable vulnerability that could spell trouble for global firms. Capable of spreading without user interaction, this remote code execution flaw affects Windows XP to Windows 7 and Server 2003 to Server 2008 R2 machines, exposing them to the risk of total remote control by an attacker. It’s still not clear what kind of campaign may be built on this vulnerability, but you can bet something is in the works as hackers are already scanning for vulnerable systems and researchers have developed working exploits.
The business impact of this, and other vulnerability exploit-based cyberattacks, should be front-of-mind for any CISO looking to secure more funding from the board. Breaches, ransomware-related outages and the like come with a range of direct and indirect costs. BA was fined £183 million by the ICO for mistakes that led to a serious breach of customer data and there was scope for this fine to be even higher.
Breaching GDPR can result in a fine of up to 4% of annual global turnover or €20 million, whichever is higher. BA’s fine only reached 1.5% of its 2017 turnover.
Even without the threat of a GDPR fine, the cost of a data breach has risen to a global average of £3.2 million over the past five years. This figure envelopes costs from legal proceedings, investigation and clean-up, and technology upgrades. Sometimes, among the biggest outgoings following a breach are for emergency IT support. These charges accounted for the vast majority (£72 million) of the £92 million that the NHS was forced to pay following WannaCry.
The first step to strategic security
Automated patch management is the first step towards an industry-standard best practice approach to cybersecurity that will keep regulators, investors and customers happy. Systems exist today that will continuously scan for vulnerabilities and missing patches, deploying where necessary without the need for IT intervention. IT security leaders can also benefit from risk-based tools which help them develop and enforce policies that automatically prioritise mission-critical systems.
This approach maximises protection while enabling security teams to focus their efforts on more strategic, value-added tasks – which is good news all round.
Yet effective, automated patch management is just the foundational layer of what needs to be a multi-faceted cybersecurity strategy. Combine it with app white-listing to combat zero-day threats. Then should come other best practice measures including end-user awareness and training programmes, endpoint protection, data encryption, continuous network monitoring and privileged access management.
The list is long and will ultimately depend on the kind of data you process and your organisation’s risk appetite. But in the new era of mega GDPR fines, it should always start with patching.
Click below to share this article