Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Sunday, 29 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Hurrah – It’s (patch) Tuesday!

The old-age prevention is better than a cure

by James Preston
May 10, 2021
in Insight
Author headshot
Share on FacebookShare on Twitter

When you look at the root causes of a breach – the most prevalent cause is human error.  But dig a little deeper and that human error is often failure to patch known security vulnerabilities – many of which have gone unnoticed for not just a few days, but often months and years. This past years’ bout of VPN related breaches is a great example, especially as patches were available over a year ago. Yet, if you conduct an audit and find several unpatched systems – the common cause is often lack of accountability. Certain critical elements within an IT infrastructure simply sit outside of a direct line of responsibility – and as such, get overlooked and neglected – leading to disastrous consequences.

Microsoft’s patch Tuesday has become a bit of an IT tradition. It started in 2003, with both security and feature updates on the second, and sometimes further feature updates on the fourth, Tuesday of each month at a time when the software giant would bundle up and issue several patches to fix bugs and security vulnerabilities for its operating systems and applications.

Patching holes that on occasion date back as far as Windows XP is often the most pressing concern. And the latest February 2021 edition of Patch Tuesday sought to address 56 security holes in its Windows operating systems and other software. However, even the hundreds of security vulnerabilities that Microsoft addresses each year are a small drop in the ocean compared to the 149,000+ entries within the Common Vulnerabilities and Exposures (CVE®) list maintained by Mitre. Each month between 500 to 800 new vulnerabilities are catalogued as part of the IT industry’s ongoing game of cat and mouse with cybercriminals.

Growing threat

Although traditional application software and operating system vulnerabilities are the most prevalent, firmware within hardware is not immune. There have been over 3000 vulnerabilities found in Cisco hardware since Mitre began tracking CVE’s, – and nearly all of them, at least at the time of writing, have been addressed via software upgrades or configuration changes. There are still a few that remain in equipment that has been End-of-Support (EoS), but Cisco has generally rushed out fixes quickly. Take the recent published CVE-2021-1389– “…IPv6 Access Control List Bypass Vulnerability” which is a vulnerability in the IPv6 traffic processing for certain Cisco devices that could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device.

The vulnerability affects some of its models within its UCS, Nexus, NCS, IOS and ASR series of products and is ranked as medium severity. However, the latest version of Cisco IOS XR fixes this issue – along with a configuration change.

However, here lies the rub. Stretched IT departments with hundreds of desktop and server applications underpinned by a large estate of networking equipment may put-off having to upgrade switches to the latest versions. The upgrade may mean having to create a downtime window – and in some cases, there may be other tools that may mitigate the risk making the upgrade unnecessary. Unless an organisation has its own well-staffed Infosec team, there is a danger that unless the vulnerability is well publicised and of high severity, then patching more complex or mission critical systems is delayed or simply ignored.

Trials of Travelex

Without apportioning blame, the example of Travelex, a foreign currency exchange provider, offers a tragic real-world example. At the end of 2019, it was hit by a Ransomware attack that took its systems offline for a week – along with a major hit on its reputations. Within 4 months, its parent company Finablr, saw its share price drop by 60% and by August, the firm had fallen into administration with the loss of 1300 jobs – a fate compounded by the impacts of the COVID travel ban.

However, the cause of the breach stemmed from a vulnerability in its VPN systems – an issue for which a patch had been issued in April of 2019 – a full 8 months prior to its systems being held to ransom. The compromised VPN vendor, Pulse Secure, had even contacted all its customers directly to highlight the importance of applying the patch. Yet in the case of Travelex, it’s clear that the patching process failed but where the responsibility lies is hard to pin down. Travelex is a very public face of failure, but it is almost certainly not alone. So, what can CIO or IT admins do about these issues?

Tools, processes, and services

There are a slew of patch management systems that can help, but these are not a ‘fire and forget’ solution as they will rarely apply patches automatically, but are more akin to systems that can alert you if your software and hardware inventory shows issues based on comparison to the continually growing list of vulnerabilities. These systems can help, but the fundamental solution is more rooted in defining and executing good practice.

The first step is understanding what you have across your IT footprint and that could range from your traditional estate of Windows PC out to CCTV cameras and IoT devices. Cataloguing what versions are running and crucially, creating a schedule for teams to go through this list and work out if elements need to be updated. You need to list and record how such a process would be carried out and the impact on the organisation. This audit and risk assessment process will help organisations to prioritise where the biggest issues reside – and is useful justification for securing additional budget or staffing.

Dividing up personal responsibility around different domains such as network, desktop, server, storage – or any other delineators is also a good idea. As is assigning individual people responsibility to deliver status reports across their respective areas. This might sound like making more work for an already stretched team, but the potential consequences of a ransomware attack or major breach that leads to GDPR fines – are not just inconvenient, but potentially company and career ending.

First audit

If has not been done for a while, the first, companywide IT audit may be a major task, but moving forward, the subsequent updates – often after any major upgrades, are generally less daunting. There are also several useful tools – many of them either low cost or even free such as Tenable Nessus and OpenVAS – that can help with the audit and risk assessment process.

For the really resource stretched then patch management delivered as a service is also a viable option. But ensure that any MSSP you contract can deliver the regular reporting that confirms that systems have been patched to address any vulnerabilities – and able to report where a patch has not taken place and why.

The old-age prevention is better than a cure is most apt and patching systems is probably the most pertinent example when it comes to cybersecurity.

 

Contributed by James Preston, Security Architect, ANSecurity

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Three US healthcare providers suffer data breach

Next Post

Where DevOps collides with identity security

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information