Patching? Sooo Not a Solved Problem…
Even when you have the right tools in place to secure your IT environment, you may still be at risk because they aren’t always optimized for success.
Patching, for example, simply isn’t a solved problem. WannaCry and NotPetya spread rapidly, using a combination of exploits stolen from the NSA and common weaknesses in Windows software—weaknesses for which there was a patch available.
- Software is inherently vulnerable. Hundreds of thousands of lines of code, all written by humans. What could go wrong, right? Nobody writes software that’s completely free of errors and immune to potential attackers.
- The older your software gets, the more vulnerabilities get exposed. At Ivanti, we like to use spoiled milk as a metaphor for this one. The longer milk is left on the shelf, the older it gets. Eventually? It spoils. Similarly, the longer software is out there in the world, the more its inherent vulnerabilities get uncovered, exposed, and exploited.
- Legacy software doesn’t get patched. This one isn’t a hard-and-fast rule. For example, after WannaCry hit, Microsoft decided to go ahead and release patches for its unsupported operating systems, given the widespread nature of the threat. But by and large, you can’t count on updating vulnerable legacy software.
- Newer software isn’t patched properly. Patches were available for supported Windows operating systems prior to WannaCry, and as noted, for unsupported systems after that attack. Yet, even with all those patches available and the threat of WannaCry so recently passed, organizations still fell victim to NotPetya a month later. Maybe they didn’t have the tools in place to patch comprehensively across the environment. Maybe their limited resources were working as quickly as they could, but just hadn’t been able to get the job done in time. Whatever the reason, patches simply being available doesn’t mean they’re being implemented as they should be.
- And finally? Not everything can be patched. Patching won’t protect against zero-day exploits. And if you can’t patch—because you’re running legacy systems, for example, or you have concerns that patching will break something in your environment? You need to block the applications that don’t get patched with tools like application whitelisting and privilege management. Regardless of how or where a user accesses their desktop, it’s essential they receive only the authorized apps they need to be productive, and can’t introduce unauthorized apps that could reduce desktop stability, impact security, breach licensing compliance, lead to user downtime, and increase desktop management costs.
Other Problems We Hear from Our Customers
There’s more to the cybersecurity puzzle than this, certainly. But simply put, IT and Security are working so hard, but they’re set up for failure.
The patchwork of cybersecurity point solutions they’ve got in place? It doesn’t function well as a whole, and it doesn’t provide a complete, integrated view of the risks to the environment. According to the Cisco 2017 Annual Cybersecurity Report, 55 percent of security professionals use at least six security vendors.
That’s compounded by the well-publicized cybersecurity resource shortage. Without the talent—or tools—to determine which alerts are critical and why they’re occurring, security professionals are often forced to skip the investigation of alerts altogether. In fact, according to the same report, nearly half of alerts go uninvestigated.
Imagine what these uninvestigated threats could do to productivity, customer satisfaction, and trust in your organization.
Now consider this: juggling solutions and platforms from many vendors actually creates gaps where attacks can be launched, compounding risk and cost, putting that much more pressure on already overworked teams and IT governance.
Where Do We Go from Here?
So where does all of this leave us? Without question, hackers today can have a major impact on critical infrastructure worldwide. To see why your users might actually be your organization’s downfall, click back to the second blog in the series: The User: Always Your Weakest Link.
For an even fuller picture of the cybersecurity landscape, check out our white paper: What to Do BEFORE All Hell Breaks Loose.