There were 16,516 Common Vulnerabilities and Exposures (CVEs)1 published in 2018. The time needed to analyze the relative importance of these to your organization would be something like 16,516 alerts times fifteen minutes to read and assess each one, which works out to about 500 days of work. If you decide that your organization is affected by twenty percent of these, that’s 3,304 vulnerabilities times an average of about an hour to patch each one — that will take about 400 days. And how many devices do you have that need this patch deployment?2
A common IT person’s point-of-view is that patches should always be applied to strengthen an organization’s defenses against hackers and malware, but most small- to medium-sized businesses can’t afford anything like that, so businesses often respond by throwing their proverbial hands in the air. And patching ends up getting short shrift.
But on post-breach assessments, missing patches and human error are the most common vulnerabilities that Bryley identifies. These are the easiest entry points for a criminal to get administrative access to a business’ infrastructure.
In its recently published annual survey of more than 900 organizations, International Data Corporation reported that 82% have suffered a cybercriminal attack this past year, up 5% over the year before. And dealing with these attacks has cost on average over a million dollars per attack. Downtime due to the attacks doubled in a year. 3
The Hunt for a Reasonable Approach for Dealing with Software Patches
61% of exploited vulnerabilities happen in just the two highest risk categories (CVSS categories 9 and 10 4 ), as Jay Jacobs and team demonstrated in Cambridge this June at the Workshop on the Economics of Information Security (WEIS). They went on to show that only 5.5% of all known vulnerabilities are ever exploited. 5
“Organizations should use CVSS base scores to assist in prioritizing the remediation of known security-related software flaws based on the relative severity of the flaws,” reads the recommended security protocol of the US governmental organization that publishes the National Vulnerability Database (NVD). 6 So a common response is for businesses to address those vulnerabilities above a certain severity score. We’ve already seen, above, how time-consuming dealing with this amount threats are.
Last week the Cybersecurity and Infrastructure Security Agency (CISA), published 75 critical vulnerabilities. The NVD shows about 1300 total vulnerabilities and exposures identified so far this month, or 420/week — this is trending toward a 30% increase over 2018.
So security cannot mean addressing every vulnerability, even of a certain severity. Just because a vulnerability is discovered doesn’t mean it corresponds to your organization’s exposure to the threat. Going in with the mindset that even every critical vulnerability must be addressed is setting your security program up to fail. 7
Up-To-Date Software Patching Helps Keep Your Network Safe
The security updates from Microsoft in May were unusual in patching unsupported operating systems like XP and Windows 2003. A “wormable” (per Microsoft) vulnerability exists in Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008. On May 30 Microsoft posted to its website: “almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, many customers had not. A significant number of these customers were infected by the ransomware.” 8
EternalBlue is the NSA-created exploit behind WannaCry, Petya and NotPetya — each made famous in 2017. EternalBlue permitted these worms to spread to corporate networks without any user interaction, making these attacks especially insidious. The WannaCry ransomware outbreak was May 2017. The patch for EternalBlue vulnerability was released in March 2017. If the patch had been generally applied the impact of WannaCry could have been minor.
This may be because IT managers can be hesitant to patch, rightly fearful that updating one part of the system may cause another part to break. Outbreaks like these from EternalBlue underscore the importance of protecting systems, and patching is an important way to do that. Setting the software that you can to auto-update daily can help keep you safer. But many medical and industrial systems cannot apply updates automatically. Unintentional bugs can be catastrophic. 9
You Need a Security Audit and Patching Plan
Most small- to medium-sized businesses can’t afford an experienced and academically-qualified internal Chief Information Security Officer (CISO) to direct their security plan. And unfortunately, coupled with the headaches of auto-updates, patching again goes unaddressed.
Using a managed service provider like Bryley cuts the cost of security, because you won’t need to hire expensive internal experts. Bryley brings your organization the full complement of auditing, applications, appliances and staff. Bryley can run analysis and determine a fitting response, saving you from what David Cartwright of the Register identifies as, “setting up, managing and filtering of alerts, wading through a backlog of server logs, keeping up-to-date on latest vulnerability threats and fixes.” 10
The Good News Is There’s Good News
While patching is now a necessary and growing part of network security, it does not look like it will always be the case. Cisco’s Elias Levy who, under the pseudonym, Aleph One, wrote in 1996 the infamous guide to hacking, “Smashing the Stack for Fun and Profit,” recently said,
“Look at specific areas, like protections being developed … from an architecture point of view, things like the work that has been done in web browsers, the new languages [like Golang or Rust] that are … more immune, secure platforms like iOS, or some of the changes in … operating systems like Windows and Mac to make them … more locked down. In general, I am optimistic.
“[The hackers] have to jump through so many hoops to make [exploits] work … the low-hanging fruit has been cleared away … the people who write exploits now, I mean, they’re geniuses … the amount of work that goes into them is incredible.
“[Security] is going to keep getting more locked down [like Apple’s iOS], and there’s going to be more of a walled garden. In many ways that’s going to be good …” 11
A walled garden — like the old AOL or iOS or Facebook gives the proprietor organization control over anything introduced into that environment. This minimizes the outward-facing elements of any software run in those environments and so the number of access points to attackers is minimized.
But in the meantime, Bryley has the resources to help manage your organization’s patching requirements to help secure your data. Bryley Systems has been a trusted technology adviser to our clients since 1987. If you would like more information about Bryley’s approach to patch management, please contact our team at 978-562-6077 or ITExperts@bryley.com
1 Common means an industrially-governmentally agreed upon standard. Vulnerabilities refers to the likeliness of a system being adversely affected. Exposures refers to the presence of systems that could be adversely affected. [Guibert Ulric Crevecoeur, https://www.researchgate.net/post/Does_exposure_defines_vulnerability_or_vulnerability_defines_exposure_according_to_the_new_IPCC_AR_5_Risk_based_approach]
2 Gavin Reid, Cisco, https://blogs.cisco.com/security/primer-on-the-common-vulnerability-scoring-system-cvss
3 https://www.efficientip.com/resources/idc-dns-threat-report-2019/ These attacks included phishing and malware (often delivered through spoofed email and browser pages), Denial-of-Service (overloading your servers) and tunneling (the transfer of malicious code along with legitimate DNS services)
4 CVSS is the Common (i.e. industrially-governmentally agreed upon) Vulnerabilities Scoring System, a method for ranking cyberthreats
5 Improving Vulnerability Remediation Through Better Exploit Prediction
(Jay Jacobs, Sasha Romanosky, Idris Adjerid, and Wade Baker)