Why Don’t Organizations Patch?
By Guest blogger Max Metzger
The consecutive WannaCry and NotPetya attacks illuminated the fact that some of the world’s largest companies have not learned basic cybersecurity best practices and repeatedly failed to patch a vulnerability that had been fixed for months. These basic lessons seem to be lost on many.
- Large organizations are notoriously bad at patching and to be fair, when is the right time to bring down their massive infrastructures for a routine patch?
- People are often overly concerned with protecting their outward facing (periphery) systems. As NotPetya proved, when the attack vector relies on you letting the payload past the periphery, this quickly becomes a useless strategy.
- Could this be a communications problem? The InfoSec world tires itself extolling the supposed virtues of cyber-cleanliness yet the mainstream seems largely oblivious to them
Why are these preventable vulnerabilities so significant?
CVE-2017-5638 was first disclosed in March 2017. As a vulnerability in Apache Struts, a widely used piece of open source software, a patch was released along with its disclosure. This apparently did very little to stop the Equifax breach in July which resulted in the theft of data from a potential 145.5 million people.
Equifax, who apparently hadn't patched that vulnerability quickly enough, is not unique and this is neither the first nor last time we’ll hear a story like this.
Many of the major vulnerabilities over the past few years are so significant because people have been vulnerable to them for years. Not because they need to be.
The distinction is fine but critical.
The effectiveness of cyber attacks is not because of their technical sophistication, but more often from the simple failure to take notice of them. Adversaries, it should be remembered, are as lazy as they can get away with, and a recent survey from Fortinet showed that 90 percent of companies get attacked with vulnerabilities that are already three years old.
This fact was thrown into razor sharp relief by two globe-spanning ransomware attacks that shut down government agencies, multinational business giants, and frontline public services.
First came the WannaCry ransomware attacks in May 2017, shutting down large parts of the UK’s National Health Service and taking aim at FedEx, the Saudi Telecom company and the Chinese public security bureau. What largely drove the astounding success of the attack was not the ransomware itself, but the vulnerability it used.
EternalBlue exploited a hole in Microsoft’s widely used SMB protocol. Microsoft had released a patch in March 2017 and many had not taken advantage of it.
The attack echoed the stern and persistent reminder to do something as simple as a patch. By now, many thought, the lesson must have been learned.
Apparently not. It was around a month later that a ransomware attack, this time dubbed NotPetya, exploited the very same vulnerability and once again wreaked havoc on networks across the world and cost its victims hundreds of millions of dollars.
As loud as those warnings might sound from inside the InfoSec community, the outside world seems to have not quite heard them.
What’s so hard about patching?
Maybe we should cut the outside world a bit more slack. Especially when we talk about large, sprawling multinationals and public utilities like the UK’s National Health Service, which ranks close to the Chinese People’s Liberation Army on the list of the world’s largest employers. Patches are often large, and patching large numbers of systems can interrupt operations and cost revenue.
There are still plenty of large organizations that even use outdated systems, which manufacturers no longer support. Windows 7, for example, is currently the operating system of nearly half of all desktops, even after the release of several subsequent versions of Windows.
The NHS came under heavy fire after the WannaCry attacks for its attachment to Windows XP, a long-outdated operating system, no longer supported by Microsoft. Though we might think of patching as a necessary part of routine cyber-hygiene, when is the right time to halt public health services and bring down a massive network infrastructure to patch?
Moreover, people may be living up to the letter and not the spirit of patching. People often focus on patching outward facing systems, leaving internal systems by the wayside. The example of NotPetya, which in many cases relied on its victims unknowingly letting the attack past their external network defenses, highlights this particular problem.
The periphery too is not what it once was and for information security professionals, hard to pinpoint with the clarity that they might once have been able to. Systems that are entangled between patched and unpatched components on the interior and exterior of a network shoot down much well-meaning cyber-hygiene. Organizations often work with systems that are not under their direct control; manufacturers might be late in releasing updates, or proprietary software may prevent its customers from securing it properly.
Often, organizations don't even know what they need to patch. It is apparently rare for a company to be able to come up with a true list of all the open source components that the software they use is made up of. The average piece of software is supposedly made up of at least half of such components. Cataloging, tracking and patching those components adds another layer of complexity to ‘just patching.’
The big secret of cyber criminality is that the perps don't like doing more work than they need to do. Unfortunately, the big secret of the enterprise is often how they make their adversaries’ jobs easier.
Editors Note: This is a guest blog and the author is responsible for all the opinions expressed and presented facts and data. If you are interested in submitting a guest blog, please email your topic and abstract to us at community [at] infoblox [dot] com.