IT disaster recovery, cloud computing and information security news

Daisy

To patch or not to patch?

Some businesses decide that the risks of regular patching are too high. In this article, Toby Scott-Jackson asks whether this can ever be an acceptable approach.

Software patching across an IT estate is a bit like taking a car for its annual service:  you know you should do it, but it can often lead to unpleasant surprises, exposing a range of unexpected problems which need to be fixed.  Not least because the complexity and interdependencies of software mean that fixing one problem may well introduce another, causing a knock-on effect across systems and the potential for downtime or loss of service. 

Yet with cyber-attacks a continuous threat to organizations, the work of maintaining systems security by IT departments is increasingly business critical and requires constant vigilance across a plethora of network devices and applications to prevent a data breach.  The breadth and scale of this battle was highlighted by a recent survey of CIOs which identified a wide range of potential network weaknesses and common threats. The CIOs surveyed named the top 3 common information system vulnerabilities as being related to application security (55 percent), security awareness (51 percent), and, perhaps most surprisingly, out-of-date security patches (50 percent). 

Businesses would be forgiven for thinking that everyone in their IT team would understand the importance of immediately updating their operating systems, firmware and security software with the latest patches. However, when conducting penetration tests, we regularly encounter network components where the latest patches have not been implemented.  Most commonly, the reasons for this are found to be either problems with automated patch management systems or because the business decided it could not afford the risk of disruption to services that patching can sometimes cause. Yet what organizations overlook is that failing to patch systems quickly can leave the business open to vulnerabilities, which could prove far more costly than the disruption to service caused by the patch itself.

GHOSTs in the machine

Three examples that demonstrate the false economy of this approach occurred last year. The Heartbleed and Shellshock vulnerabilities made international news headlines, due to the severity, ease of exploitability, and the risk to sensitive information that the flaws posed. Heartbleed was a vulnerability within OpenSSL, a commonly used library found within numerous systems and applications. Attacks against systems vulnerable to Heartbleed allowed the disclosure of a small amount of data held in the systems memory, which was enough to potentially retrieve usernames and passwords, or other sensitive data.

News of Heartbleed was followed by the disclosure of a severe vulnerability in the Unix shell ‘Bash’. This vulnerability, known as Shellshock, was identified as being present within the Bash shell since 1989, and once exploited could potentially allow arbitrary code execution.

The assault on open source didn't stop there: earlier this year a research team discovered GHOST, a critical vulnerability in the GNU C Library - common to many Linux implementations. Part of the function of this library is used to convert Internet host names to Internet addresses. If exploited, GHOST potentially allows an attacker to take control of an entire network system. And while, unlike Heartbleed which affected even the largest corporations, the risk of either Shellshock or GHOST leading to a breach was significantly lower, the possible consequences were severe enough to send shockwaves across the industry.

It’s not just open source

Commercial software is also prone to vulnerabilities:  Microsoft recently disclosed MS15-034, a critical vulnerability through their Microsoft Security Bulletins along with a patch. This vulnerability was also widespread, affecting any Windows Servers that had Internet Information Services (IIS) running and any services that interacted with the HTTP API. Within a matter of hours there were denial of service exploits surfacing across the Internet, and within two days there were remote payload execution exploits for sale on the Dark Web.

Patching best practice

Failing to patch software leaves organizations vulnerable to a range of unnecessary risks that can easily be avoided. Accepted industry best-practice is to keep firmware, operating systems, services, and applications patched and up-to-date with the latest security patches. Patches should be applied regularly on an agreed schedule, and soon after any newly identified critical vulnerabilities are disclosed.  A good patch management system should also keep non-operating system applications and services updated, including third-party software.

There is little to lose, and everything to gain from effective patch management. Attackers and researchers are constantly working hard to expose vulnerabilities in software that can be exploited and administrators cannot afford to take anything for granted.  Weaknesses such as GHOST and MS15-034 are not the first wide-reaching vulnerability discoveries affecting unpatched software and will almost certainly not be the last. IT managers and system administrators should adopt best practice in terms of prioritising systems patching, so that when the next vulnerability scare arises they spend as little time as possible exposed to the risk of attack. 

The author

Toby Scott-Jackson is a Senior Security Consultant with SureCloud.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.