2017 has given us a lot to reflect on in the world of Cyber Security. What Cyber-attacks broke out last year? Were your company or any of your customers affected? How did you prevent the attacks and how can you prevent those attacks in the future? Or how can you better protect your organisation and your customers from new threats in 2018?
If you work in Cyber Security somehow, it is likely that you asked some of those questions in 2017 or you heard your employees, a superior, a customer, a colleague, a friend or family asking those questions. The mounting cyber threats that spread worldwide in 2017 are likely to have made you reflect about your IT infrastructure and the IT infrastructure of your customers as the New Year begins.
Here’s a recap of the main cyber-threats / cyber-attacks which hit many companies across the globe hard in 2017:
WannaCry infected more that 230,000 computers in 150+ countries within hours, with variants Petya/NotPetya/Nyetya/Goldeneye, Bad Rabbit also affecting thousands of computers even after information on how to avoid them was widely available in the news. The Equifax data breach exposed personal information on more that 140 million people including Social Security Numbers, dates of birth and addresses and over 200,000 credit card numbers. The HBO hack and Game of Thrones leaks are just a few examples of this type of cyber-attack in 2017.
In recent years we have heard a lot about major threats called "Zero-Day Attacks", which are cyber-attacks against software flaws that are unknown and have no patch or fix available yet.
Despite the importance of protecting companies from Zero-Day attacks, what 2017 clearly exposed is that many companies take for granted something that is very important, "Patch Management", the process of keeping system or software updated with the latest patches and software codes.
Security flaws can be categorised in 2 types: Zero-Day, which the vendor has not published a fix for yet, and which requires new technologies such as sandboxing for detection, or Patched, which the vendor has published a fix for or workaround for the security flaw, the latter only depends on the company patch-management policy and procedures.
In 2017 the majority of the incidents were related somehow to patching (or the lack of!), for example with WannaCry, which broke out on May 12th, Microsoft had released the MS17-010 patch for the security flaw in March, almost 2 months earlier than the attack.
Equifax Data Breach: On July 29th the company identified and blocked some suspicious network activity from a web portal used by U.S. consumers. Further analysis revealed the portal’s application framework, Apache Struts, was outdated and had a severe security vulnerability. The Apache Struts vulnerability (CVE-2017-5638) was published on March 8, 2017, and the vendor fix / workaround followed on March 19th, 4 months before the Data breach be discovered.
I’ve been working in the IT industry for several years now, working on many customer sites worldwide, and no matter the size of the company or where in the world the company is located, all of them will deal with Patch Management with a pinch of salt. Why? "Do not change a winning team" is the common answer. Jokes aside Patch Management involves knowledge of the device / environment, updated documentation, backup procedures, internal change processes, resources to deal with the internal processes and to apply the patches on the devices, most of them out of hours, a number of different vendors and devices to manage, and last but not at least all the time and cost involved.
With today’s pressure from the business on IT departments to do more with less, to manage more devices with less people and to cut costs, Patch Management tends to be dealt with at the last minute, when threats such as WannaCry, etc. reach the news, or when a data breach is discovered, or when an internal audit exposes gaps and areas for improvement within the company.
To sum up this article, the message left by 2017 to all companies and IT professionals is:
Having a Patch Management process in place is as important and requires as much consideration as protecting the company from a Zero-Day Attack.
The time spent on applying the patches justifies the peace of mind you get when a new campaign targeting an already addressed vulnerability arises, and also from keeping the company’s name away from the data breaches headlines.
So be ready for 2018 and my advice is to give Patch Management the attention it deserves!