Workload and Application Security Blog

Prediction Series #3: Many companies aren’t “Minding the Gap” of their missing patches

Written by Virsec Systems | Feb 25, 2019 6:16:09 AM

Nobody really keeps up with patching and the multitudes of vulnerabilities are making the risks from delayed patching worse

Are companies who don’t patch responsible for their own data breaches?

In today’s new reality of a new hack every week, if not every day, it’s easy to want to find someone to blame. An easy place to point a finger is companies who haven’t implemented the latest patch that surely would have prevented the theft of millions, if not billions, of user records.

It is sometimes true that companies neglect to implement patches out of negligence or lack of due diligence. And missing patches do leave a security gap. A congressional investigation found Equifax liable for the massive breach that impacted nearly 150 million people for failures in its security policy. Namely, Equifax’s failures to implement a critical patch and for allowing over 300 certificates to expire. Had either of these lapses not been allowed to occur, the breach could have been prevented. So yes, companies are responsible for implementing responsible security policies.

But, it’s complicated

Applying patches are arguably the right and best-practices approach to take and for some companies, a strict security policy goes a long way to avoiding disaster. But for others, it’s much more complex. There can sometimes be set of reasons that makes it perhaps understandable why companies make the intentional decision to bypass available security patches.

But for some organizations using older equipment, especially in industries where downtime is untenable – such as transportation or healthcare – such a labor intensive and disruptive process is not a welcome or even possible choice to make, especially given the frequent and repeated basis that patches are released.

And, patching is a reactive process, a responsive measure to vulnerabilities that have already been identified for weeks, months or even years. Often the discovery of the vulnerability comes to light due to a successful attack.

For instance, the WannaCry attack took advantage of the Windows SMBv1 vulnerability that affected millions of Windows XP systems. These “retired” systems are still being used to run millions of mission-critical applications every day but their legacy status made patching a difficult process that was potentially expensive and impactful to operations. So some companies weighing decisions about patching opt to take a chance on avoiding a possible breach versus facing the problems involved with patching them systems.

This a calculated risk and for some, an ill-fated decision in hindsight if they end up being hacked. The problem is ongoing and will only increase as attackers continue to take advantage of these vulnerabilities and loop holes to wreak havoc.

~~~

Further resources:

Behind the Equifax Breach: Apache Struts Vulnerabilities, Laxed Patching and Zero Day Exploits

Patching the Iron Tail Is Easier Said than Done