Remember when WannaCry first hit the headlines in 2017? The crypto ransomware attack capitalised on a Microsoft Windows vulnerability, spreading through networks, and holding files ransom with a Bitcoin demand.
Despite Microsoft releasing a patch almost two months prior, many businesses failed to update their operating systems and were left exposed to the attack.
WannaCry caused significant damage, with estimates placing the number of affected systems at more than 200,000 computers across 150 countries. Economically, total damages assessments range from hundreds of millions to billions of dollars, with high profile victims including the NHS, Spain’s Telefonica, FedEx, Boeing, and Renault.
Last year ESET confirmed that years on from the original high-profile attack, WannaCryptor still dominates ransomware rankings, accounting for 40.5% of detections.
What’s more, according to Shodan, as of April 2020 there were still close to one million machines unpatched for the vulnerability.
Why is patching so hard?
Regular software and application patching are fundamental elements of good cyber security practice, yet the above makes clear that many businesses aren’t keeping up with fixes for even the most well-known (and well exploited) vulnerabilities.
Hilary Walton, CISO at Kordia Group, says patching is very much a business as usual activity going on behind the scenes.
“It goes largely unnoticed in most organisations and therefore, executives find it difficult to appreciate the work required to stay on top of it. That makes is challenging to understand the value patching provides,” she says.
Patching isn’t always straightforward, meaning developers and security professionals often find the cadence of regular patching disruptive. For complex systems or web apps, detected issues can require re-engineering prior to an upgrade. This can have a flow-on effect to other systems and apps dependent on or integrated with the patched application.
Sam Pickles, CTO of RedShield, notes that these inter-dependencies typically hold people back from patching.
“Upgrading one component of a system breaks others. Even though the action might be necessary, it can be resource intensive, time consuming and disruptive to other priorities,” he says.
In other cases, the sheer volume of fixes required, and the time and resources needed to complete them is just not feasible.
“In July 2020, we saw at least half a dozen crucial enterprise systems known to have critical, remotely-exploitable vulnerabilities. Oracle disclosed 284 flaws while highly exploitable vulnerabilities in SAP NetWeaver and Microsoft Windows DNS created a major headache for enterprise developer and security teams,” Pickles points out.
Failing to act
The sheer volume of fixes makes is obvious why some businesses are overwhelmed.
But, as indicated by ESET and Shodan’s analysis, failure to act or failure to act fast enough, is precisely what happens in businesses across New Zealand and the world.
The result of such shortcomings is seen practically daily, with companies’ systems crippled because of embarrassing compromises of critical systems.
“It is embarrassing, particularly when known and patched flaws cause the interruption,” says Walton.
“Reputational damage combines with actual financial loss. Investors, customers and business partners don’t like seeing partner organisations compromised by preventable cyberattacks.”
Then there’s the increasingly strong arm of the law around cyber security and data protection. In addition to the familiar provisions of the European General Data Protection Regulation and Australia’s Notifiable Breaches Act, New Zealand has recently beefed up its Privacy Act.
“While the fines organisations can be hit with under the Privacy Act aren’t substantially damaging, those doing business in Australia or Europe can face penalties the realm of hundreds of millions,” Walton explains.
Take control back
Failing to act might mean getting away without patching, but the question is always ‘for how long?’ Sooner or later poor patching regimes will show and result in destruction of reputation and stakeholder value.
Properly patching systems is more than an insurance policy. Postponing, delaying, or ignoring patching has consequences. Just like rotting house pilings or rusting support beams supporting don’t get better by themselves, failure to act has one long term outcome.
However, this isn’t news to the technical staff, says Pickles.
“IT people know, understand and appreciate the challenge. They work with it every day. The issue is that the investment required, is harder to justify because the value is hidden.”
In fact, the value is all but completely invisible if patching is efficient. If it’s done right, you don’t notice anything, because you’re not getting compromised by known vulnerabilities, he notes.
That’s what makes Board-level justification for rigorous, comprehensive patching difficult.
Walton says Boards have to appreciate security is invaluable and it should well resourced.
“It starts with giving application development teams time and resources to incorporate security at the start, and then maintain it without fail, even it doesn’t add features or deliver additional revenue streams. Where there is a question of release date over security, security must win every time.”
Recognising that for some businesses there will be times when swift patching just isn’t feasible, Walton points to products like RedShield as a good mitigation.
“RedShield provides a shield for your web applications against known vulnerabilities, which is helpful if you need to buy some time to get your systems up to date.”
On patching, she says an essential monthly metric for executives should be the percentage of systems unpatched.
“That percentage must be really small. Keep a close eye on trends; when it’s out of range, remove any barriers or impediments to good patching, because failure to do so can be disastrous,” Walton concludes.