Network Security: The high costs of missed patches

All programs have bugs. Some of these bugs are no big deal, while others can be the cause of an expensive crash or data breach. Finding and fixing these bugs is a major part of cybersecurity, yet most organizations – let’s face it – could do much better at it. Deploying a web application firewall (WAF)is one simple step that can have a major impact on your network security.

patch Network security: the high costs of missed patches

The patching process

Most of cybersecurity boils down to network attackers and defenders racing to identify and either exploit or patch vulnerabilities in critical software. Vulnerabilities can be identified and disclosed through a variety of different means. Organizations may identify flaws in their software internally, be notified by a security researcher, or find out when their software was exploited as part of a hack. In the best case, the vulnerability is identified, ethically disclosed to the organization, and publicly disclosed after a fix or “patch” has been developed.

Once a patch is available, it is the responsibility of organizations making use of the vulnerable software to apply it. Many organizations have deployed web applications that use code developed outside of their organization. In these cases, the organization should monitor vulnerability disclosures for all software used within the organization and promptly update their software to use the secure version.

In practice, this process of monitoring for, testing, and deploying patches is where organizations most commonly fall down on security. On average, it takes an organization 38 days to apply a patch, dropping to 34 days if it is a “critical” one. On average, it takes hackers hours or days to learn of a new vulnerability, develop an exploit for it, and begin using the exploit to attack vulnerable systems. This massive difference in the time to deploy patches and exploit for vulnerabilities is the cause of many breaches, the most famous of which is the Equifax breach.

Equifax Breach Network security: the high costs of missed patches

Inside the Equifax Breach

The Equifax breach was one of the biggest in US history, leaking the personal credit details of around 143 million US customers. Even worse, these customers never signed up to have their data stored by Equifax; the data is collected by the “Big Three” credit monitoring services from all credit and banking providers. Many affected by the breach likely had no idea that they could have been affected at time of reporting.

The Equifax breach occurred in May and was caused by a failure to patch a vulnerability in Apache Struts. This was not the exploitation of a zero-day vulnerability. A patch for the vulnerability was released on March 6, two months earlier than it was exploited in Equifax systems. Days after the patch was released, hackers were attempting to exploit it, demonstrating that the missing patch was a real danger. The patch was difficult to deploy; however, it would not have taken two months to build, test, and deploy a secure version of Apache Struts.

The Equifax breach demonstrates the scale of the issue of missed patches within the IT community. While the Equifax breach is a high-profile example of the risks of missing patches, it’s far from the only example. Without some solution, breaches like this will continue to happen. While Equifax avoided massive fines due to the fact that the breach happened just before the EU’s General Data Privacy Regulation (GDPR) came into effect, the impacts of future breaches to organizations will be significant.

Fixing the patch problem

The failure to patch known vulnerabilities in a timely fashion is not a new one. The cybersecurity field has a major labor shortage and many organizations don’t have the budget or the ability to hire enough skilled practitioners to adequately design, secure, and monitor their network infrastructure.

As organizations grow and are targeted by an increasing number of cyber attacks, the workload for their IT departments continues to increase and cyber defenders are forced to prioritize. When attacking a web application, hackers will often try thousands of possible attacks in hopes of finding the one that works, and network defenders need to verify that they all failed or find the one that didn’t. When it’s a choice between dealing with an attack going on now and looking for patches that need to be installed on the company’s systems, the immediate threat is going to win out.

A partial solution to this threat is prevention. Antiviruses and Intrusion Detection Systems (IDS) are capable of identifying a wide variety of threats and are updated on a regular basis. In many cases, this may allow them to identify and block traffic attempting to exploit unpatched vulnerabilities. However, these signature-based systems are often insufficient for catching all attack as some attackers wrap new attacks within old exploits, allowing them to take advantage of existing vulnerabilities while evading existing signatures. The WannaCry and NotPetya worms are an example of this, where the known EternalBlue exploit was used as an infection vector for the ransomware.

Protecting against web application attacks requires a proactive approach to threat detection, and automation is an essential part of doing this at scale. Using a web application firewall (WAF) to protect an organization’s web applications ensures that all traffic to potentially vulnerable applications first passes through a firewall that scans for attempts at exploiting known vulnerabilities. These WAFs can even have the ability to perform “virtual patching”, where the WAF scans incoming traffic and filters out anything capable of exploiting known vulnerabilities. This has the effect of patching known vulnerabilities to the system within hours, rather than the weeks of manual patch management.

Closing the gap

Patching systems can be complicated, and a rushed patch can be worse than no patch at all if it opens up more vulnerabilities. However, patching vulnerabilities is a crucial part of protecting your network against hackers. With a WAF, you can ensure that your company is protected during that gap between vulnerability discovery and patch deployment.

Leave a Reply

Your email address will not be published.