When you look at the root causes of a breach – the most prevalent cause is human error. But dig a little deeper and that human error is often failure to patch known security vulnerabilities – many of which have gone unnoticed for not just a few days, but often months and years. This past years’ bout of VPN related breaches is a great example, especially as patches were available over a year ago. Yet, if you conduct an audit and find several unpatched systems – the common cause is often lack of accountability. Certain critical elements within an IT infrastructure simply sit outside of a direct line of responsibility – and as such, get overlooked and neglected – leading to disastrous consequences.
Microsoft’s patch Tuesday has become a bit of an IT tradition. It started in 2003, with both security and feature updates on the second, and sometimes further feature updates on the fourth, Tuesday of each month at a time when the software giant would bundle up and issue several patches to fix bugs and security vulnerabilities for its operating systems and applications.
Patching holes that on occasion date back as far as Windows XP is often the most pressing concern. And the latest February 2021 edition of Patch Tuesday sought to address 56 security holes in its Windows operating systems and other software. However, even the hundreds of security vulnerabilities that Microsoft addresses each year are a small drop in the ocean compared to the 149,000+ entries within the Common Vulnerabilities and Exposures (CVE®) list maintained by Mitre. Each month between 500 to 800 new vulnerabilities are catalogued as part of the IT industry’s ongoing game of cat and mouse with cybercriminals.
Although traditional application software and operating system vulnerabilities are the most prevalent, firmware within hardware is not immune. There have been over 3000 vulnerabilities found in Cisco hardware since Mitre began tracking CVE’s, – and nearly all of them, at least at the time of writing, have been addressed via software upgrades or configuration changes. There are still a few that remain in equipment that has been End-of-Support (EoS), but Cisco has generally rushed out fixes quickly. Take the recent published CVE-2021-1389– “…IPv6 Access Control List Bypass Vulnerability” which is a vulnerability in the IPv6 traffic processing for certain Cisco devices that could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device.
The vulnerability affects some of its models within its UCS, Nexus, NCS, IOS and ASR series of products and is ranked as medium severity. However, the latest version of Cisco IOS XR fixes this issue – along with a configuration change.
However, here lies the rub. Stretched IT departments with hundreds of desktop and server applications underpinned by a large estate of networking equipment may put-off having to upgrade switches to the latest versions. The upgrade may mean having to create a downtime window – and in some cases, there may be other tools that may mitigate the risk making the upgrade unnecessary. Unless an organisation has its own well-staffed Infosec team, there is a danger that unless the vulnerability is well publicised and of high severity, then patching more complex or mission critical systems is delayed or simply ignored.
Trials of Travelex
Without apportioning blame, the example of Travelex, a foreign currency exchange provider, offers a tragic real-world example. At the end of 2019, it was hit by a Ransomware attack that took its systems offline for a week – along with a major hit on its reputations. Within 4 months, its parent company Finablr, saw its share price drop by 60% and by August, the firm had fallen into administration with the loss of 1300 jobs – a fate compounded by the impacts of the COVID travel ban.
However, the cause of the breach stemmed from a vulnerability in its VPN systems – an issue for which a patch had been issued in April of 2019 – a full 8 months prior to its systems being held to ransom. The compromised VPN vendor, Pulse Secure, had even contacted all its customers directly to highlight the importance of applying the patch. Yet in the case of Travelex, it’s clear that the patching process failed but where the responsibility lies is hard to pin down. Travelex is a very public face of failure, but it is almost certainly not alone. So, what can CIO or IT admins do about these issues?
Tools, processes, and services
There are a slew of patch management systems that can help, but these are not a ‘fire and forget’ solution as they will rarely apply patches automatically, but are more akin to systems that can alert you if your software and hardware inventory shows issues based on comparison to the continually growing list of vulnerabilities. These systems can help, but the fundamental solution is more rooted in defining and executing good practice.
The first step is understanding what you have across your IT footprint and that could range from your traditional estate of Windows PC out to CCTV cameras and IoT devices. Cataloguing what versions are running and crucially, creating a schedule for teams to go through this list and work out if elements need to be updated. You need to list and record how such a process would be carried out and the impact on the organisation. This audit and risk assessment process will help organisations to prioritise where the biggest issues reside – and is useful justification for securing additional budget or staffing.
Dividing up personal responsibility around different domains such as network, desktop, server, storage – or any other delineators is also a good idea. As is assigning individual people responsibility to deliver status reports across their respective areas. This might sound like making more work for an already stretched team, but the potential consequences of a ransomware attack or major breach that leads to GDPR fines – are not just inconvenient, but potentially company and career ending.
If has not been done for a while, the first, companywide IT audit may be a major task, but moving forward, the subsequent updates – often after any major upgrades, are generally less daunting. There are also several useful tools – many of them either low cost or even free such as Tenable Nessus and OpenVAS – that can help with the audit and risk assessment process.
For the really resource stretched then patch management delivered as a service is also a viable option. But ensure that any MSSP you contract can deliver the regular reporting that confirms that systems have been patched to address any vulnerabilities – and able to report where a patch has not taken place and why.
The old-age prevention is better than a cure is most apt and patching systems is probably the most pertinent example when it comes to cybersecurity.
Contributed by James Preston, Security Architect, ANSecurity