“Update ready to be installed.”
IT teams and business stakeholders are probably familiar with this notification, or something like it. After all, software updates are nothing new: Whenever a vendor makes improvements or includes new capabilities on a previously-released platform, it comes with a software update.
But boosting existing features aren’t the only reason that patching is important.
Vulnerabilities and the consequences of late patching
As Trend Micro noted in its “Unseen Threats, Imminent Losses” report, there were two major vulnerabilities found at the beginning of 2018 within popular microprocessing solutions – and these were far from the only weaknesses discovered.
“Trend Micro published more than 600 vulnerability advisories in just the first half of 2018.”
Trend Micro alone published more than 600 vulnerability advisories in just the first half of 2018. While software is typically thought of as the focus for these advisories, as with the case of the microprocessing issues, hardware vulnerabilities requiring firmware patches became more prevalent this year as well.
“Hardware vulnerabilities present a complicated problem for IT admins,” Trend Micro’s report stated. “Along with these hardware problems, IT admins also had to deal with vulnerabilities disclosed by major software vendors. Major vendors release regular patches as disclosed vulnerabilities are found and fixed, but enterprises still have difficulty securing their networks.”
Exploiting known weaknesses is a top strategy leveraged by hackers. Therefore, organizations must be sure to apply and deploy patches as quickly as possible after they are released by hardware and software vendors. This significantly reduces the chances that these known weaknesses or issues could be used against the business within an infiltration or cybersecurity attack.
Firmware patches: Unique complications
As Trend Micro pointed out, while software patches certainly come with their own challenges – including the sheer volume of updates released on a regular basis – patches that impact hardware elements can present considerable complications for an enterprise’s IT team.
“Applying firmware patches across all affected devices is much more difficult,” the report stated. “In addition, some of the patches affect the system performance of older devices, compounding the impact on the business.”
While this was in relation to the microprocessing hardware vulnerabilities and associated firmware patching specifically, hardware updates of this kind can make it difficult for businesses to ensure that all weaknesses and issues within their infrastructure elements are continually addressed.
“The pressure to keep networks operational make patching a perennial problem for administrators,” the report noted.
In particular, the cybersecurity landscape saw considerable advisories tied to SCADA (supervisory control and data acquisition) platforms, used by organizations across a number of major industry sectors.
Overall, there was a 30 percent increase in SCADA vulnerabilities seen during the first six months of 2018, compared to Q3 and Q4 of 2017. Many of these involved issues or weaknesses in human-machine interface SCADA software, which can provide key details for hackers.
As Trend Micro researchers pointed out, attacking a SCADA system may just be step one within the breach processes for malicious actors, as this information could be a springboard, providing reconnaissance information about the business and its processes to better inform future attacks.
While the number of SCADA vulnerabilities increased overall, research shows that vendors are much more responsive when creating patches for these identified weaknesses. This year, Trend Micro researchers observed a 77 percent decrease in zero-day SCADA vulnerabilities, compared with the second half of 2017. This does not, however, mean that enterprise SCADA software users can be lax when it comes to the security of their platforms.
“While this is a welcome improvement, the sheer number of discovered vulnerabilities highlights why enterprises in critical infrastructure sectors should stay on top of SCADA software systems and invest in multilayered security solutions,” the report noted.
Unpatched systems leave the door open for malicious actors to exploit known vulnerabilities.
Lessons learned from WannaCry and Petya
SCADA and other vulnerabilities may pale in comparison with the types of widespread vulnerabilities that IT teams have likely seen in 2018 and particularly last year. WannaCry, especially, affected hundreds of thousands of systems across the globe, demanding that victims pay ransom in untraceable cryptocurrency for decryption of critical files and data.
As intelligence researchers relayed, this resulted in billion-dollar costs in “stalled operations and lost revenue” for organizations that fell victim to WannaCry.
After WannaCry, Petya emerged, with the similarity between these two being the fact that they leveraged the same, previously patched vulnerability: MS17-010, dubbed “EternalBlue.” Due to the widespread impact and associated losses, these cases, in particular, shined a key spotlight on the issue of regular patches and patch management.
“Despite the availability of a patch that could have prevented an infection, many companies and users still had vulnerable systems,” Trend Micro indicated in its research. “This situation only begs the question: can we fix the lag between patch release and application?”
How to overcome patch management struggles
One 2015 study found that some organizations don’t put updates in place until as many as 100 days after patches are released. Thankfully, this attitude has changed a bit in the wake of vulnerabilities like WannaCry and Petya.
Here are four key best practices to consider implementing within enterprise patch management processes: