How Important Is Patching, Really?
It is a commonly known fact that soon after cavemen discovered fire they tackled the next age-old question: Do we really still need to patch our applications?
Cygilant, an Ivanti partner, recently hosted a webinar about reducing the attack surface with integrated vulnerability and patch management. Ivanti Product Manager Todd Schell joined the presenters to discuss the importance of timely software patching.
According to the Verizon 2017 Data Breach Investigations Report, more than 90 percent of security incidents/breaches involved phishing. I know what you’re thinking: “My users aren’t dumb enough to fall for phishing messages.” I hate to break it to you, but statistically speaking, you’re wrong. The report found that 30 percent of recipients open phishing messages and 12 percent click on the attachments. #Facepalm.
Interestingly enough, the Verizon 2018 Data Breach Investigations Report showed some progress. They found that 78 percent of people don’t click on a single phishing campaign all year. However, an average of four percent of people in any phishing campaign will click the malicious link or attachment. This is great progress, but it only takes one rogue clicker to open the door to unwanted malware.
A 2017 Farsight Security report found that 49 percent of security professionals had experienced a WannaCry-like event in the past year. Of those, 72 percent experienced three such events. And in the healthcare sector specifically, ransomware attacks are still on the rise.
With the breach risks so high, this isn’t the time to leave a “Gone Phishing” sign on your office door. It’s time to patch.
Some say that children are the future. Todd says it’s weaponized malware (he’s a “glass is half empty” type of guy). Last year was a wild year for malware, starting with WannaCry. An interesting thing about the WannaCry attack is it used a particular vulnerability that had been patched in March. Organizations had plenty of time to patch their systems before the malware hit.
NotPetya is another interesting example. It used ransomware to encrypt files much like WannaCry, but attackers were not able to get a decryption key if they paid the ransom—which is certainly not the best way to encourage organizations to open their wallets. Rather than being a cash cow, it was designed for chaos and hit Ukraine the worst, although the targeted attack had a global impact.
SamSam is a recent attack that differs from NotPetya and WannaCry. It looks for known vulnerabilities that haven’t been patched and then tries to penetrate the system in multiple layers. SamSam was extremely targeted: It went after the city courts, water system, and medical records in the city of Atlanta.
All of these attacks could be prevented with patching.
Bringing it back to our original question, the answer is YES. Patch like your life depends on it. As Todd says in the webinar, “Patch often, patch everything, patch everywhere.”
Microsoft’s Patch Tuesday is on the second Tuesday of every month. Adobe Reader and Flash patches usually release the same day. Java patches release once a quarter. Google Chrome drops as Adobe Flash Player updates release. If you’re overwhelmed by all of the dates to keep track of, I recommend joining Ivanti’s monthly Patch Tuesday Webinar. Todd breaks down cybersecurity news, known exploited vulnerabilities, and bulletins. He also answers any questions you might have to help guide you through your patching journey.
If you are interested in the state of cybersecurity and how patch management is involved, check out our recent white paper collaboration with Cygilant where we talk reducing the attack surface with unified vulnerability and patch management.