July 30, 2019
How does a free software patch end up costing $700 million?
When you don’t install it.
The largest data breach in history is a hard lesson on the importance of having a patch management policy in place.
A Hard Lesson in Weak Patching Practices
In September 2017, Equifax disclosed that it had suffered a data breach that exposed the personal information of 150 million people. Credit card information, social security numbers and other unique information were stolen. According to a recent CNN article, Equifax will pay between $300 — $400M to compensate affected people with credit monitoring services, and another $275M in civil fines.
Perhaps what made the public the most incredulous was knowing the breach could have been prevented. The source of weakness in the network was a critical web application patch that had been disclosed by Apache two months earlier. Equifax acknowledged they were aware of the patch but had not installed it.
Lax Patch Management Policy Creates Enormous Risk
While Equifax is the largest known breach to date, there is not one industry that is not vulnerable to cyber-attacks. The target may not be personal information. Cybercriminals pose threats to power grids, government data, high-tech designs, devices in hospitals, and controls that could stop transportation in its tracks. Some other infamous attacks include:
• The 2003 SQL Slammer worm (has it been that long?) hit every unpatched SQL server on the Internet; 75,000 SQL instances in 10 minutes. The Microsoft Patch was available for six months.
• The 2017 WannaCry ransomware attack took 45 NHS hospital groups across the country offline despite two months of warning by the NHS and a patch from Microsoft.
• The 2018 University of Washington Medical Center (UW Medicine) had 973,024 records breached after a web server vulnerability was not addressed. The files contained patients’ personal health information (PHI).
No industry is immune from being exploited. The greatest risk lies where there are poor patch monitoring and deployment practices. Patching is strictly enforced in the Energy & Utilities industry, but should be a principal IT initiative in every industry given the amount of personal information and proprietary data at stake.
Patch Management Requires the Right Technology
Patch releases (software and firmware) can come from multiple sources including the manufacturer, patch discovery sources, and manual web searches for legacy assets. The problem is not that IT doesn’t know how to find a patch. The enterprise problem (and opportunity) is putting together a patch management policy that utilizes a centralized tracking system for all networked assets. As a result, the appropriate personnel will be accountable for patching with a specified time frame. In addition, critical patches can be escalated the moment a patch notice arrives.
Good cyber vigilance is an investment. IT and OT can no longer exist in silos as networks and business systems converge. The best return comes from utilizing multiple sources for patch information and guiding that information through a centralized process for remediation with indisputable records of services performed.
A centralized solution should be capable of integrating with any cyber monitoring and reporting systems to provide a single source of truth for all patch-related actions. The investment in a “command center” helps IT operations and IT security each accountable for their part in protecting the IT infrastructure. When IT and OT work together using software that gathers data and automates the human component of patching, better outcomes can be expected.
Conclusion
It’s time to move from looking at patch management policy and technology as an IT cost center, Rather, start considering the cost of a breach and access to your organization’s most valuable information. As devices become smarter and software becomes more complex, vulnerabilities will proliferate and therefore, so will patches. In summary, a proactive patch management policy driven by automated rules should be a critical element of any defense-in-depth information security practice. An enterprise system that drives action and accountability for patch management across all IT and OT assets will fare much better against bad actors.
