According to the 2021 X-Force Threat Intelligence Index, scanning for and exploiting vulnerabilities was the top infection vector of 2020. Up to one in three data breaches stemmed from unpatched software vulnerabilities. Take a look at this list of vulnerabilities or design flaws with no official Microsoft fix. In any case, one in three might be a low-ball estimate given the increase in unpatched vulnerability attacks. How do defenders stop them?
Attacks have become more diverse over time. For example, some Linux vulnerability attackers don’t want your trade secrets. Instead, they hijack computing resources for cryptomining, which can go on for months before detection. Meanwhile, threat actors can also set up web shells to install ransomware. By maintaining the shell, they can sell remote access to your web server.
The Cybersecurity and Infrastructure Security Agency (CISA) beats the drum about software vulnerabilities and exploits. CISA says, “Foreign cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”
In other words, CISA is tired of having to deal with unpatched vulnerability breaches. Some say the lack of patching is due to laziness and neglect. Maybe it’s because security teams don’t have a solid patching plan. So let’s hatch a plan.
Prioritize the Risk
If you were to scan your systems for software vulnerabilities, you might discover hundreds of thousands of open doors. Merged with or acquired a company recently? You just multiplied your risk. For enterprises, the grand total of detected vulnerabilities can number in the millions.
Of course, you can’t patch everything at once. Instead, proper triage is essential. For example, what types of vulnerabilities are nearest to mission-critical systems?
Another factor: you can’t handle this without qualified patchers. Plus, how do you know if a detected vulnerability isn’t a false positive?
Common Software Vulnerabilities and Exposures
Why not target the CISA Top 10 Routinely Exploited Vulnerabilities? While it’s important to be aware of the CVE list, your high-value assets may be exposed to uncommon risk. Also, CISA’s Common Vulnerability Scoring System doesn’t consider weaponized software vulnerabilities , that is, the ones being actively exploited. You need to consider both asset value and weaponization to triage patches.
To minimize false positives, it’s important to use attack correlation, intelligence sources and a risk-based approach. This is not a simple task, and few companies have the right in-house resources. For this reason, some may choose to hire an expert team.
So Little Time, So Many Software Vulnerabilities
For vulnerability patching, the emergency room triage example serves us well. When the ER is full, doctors must decide which patients are critical. Later in the day, the ER may be nearly empty, so the doctor can address less urgent cases. Vulnerability assessment and remediation are similar. And just like the ER never closes, a company needs to audit, monitor and test their software vulnerability profile often.
Remember, your teams might add applications at any moment. So, maintain an up-to-date network inventory and schedule vulnerability scanning. Automated software vulnerability management programs can be a great help here.
Many companies don’t have the time or qualified resources to identify, prioritize and remediate vulnerabilities. Rather than being lazy or negligent, businesses simply find the process overwhelming. Given the high risk involved, many companies decide to contract expert vulnerability mitigation services.
Software Patch Testing
Once your team has identified a software vulnerability, it’s time to test the patch. Perhaps something worse than non-security broke an application due to a botched patch. After patch download, test each patch in a non-production environment.
Remember, with infrastructure becoming more complex, it can be difficult to test a patch in many cases. Some use cloud services as a cost-effective way to create a patch testing environment that mimics your production system.
Software Patch Bundling
Work in bundles when you can. Put another way, test and roll out patches in groups instead of one at a time. Be aware that this tactic carries some risk since an attacker may discover a vulnerability before you apply the patch. For mission-critical assets, bundling may not be the best choice. Still, in some cases, bundling leads to faster patch deployment since you’re rolling out the process according to a plan.
Software Vulnerabilities: Patch Application & Verification
Since it can get confusing, IT teams should stick to a vulnerability database management schedule to keep track of patch deployment. After you apply patches, check your system logs and exceptions to verify correct patching. Also, put a recovery plan in place beforehand in case the patch causes a disaster.
To verify patch success, you can rescan your assets. This should also include checking related network devices, systems or applications for signs of malfunction.
End of Life Software & Virtual Patches
Still have outdated software or operating systems on your network? If so, threat actors can exploit existing or newly-found data protection vulnerabilities. Since old software may lack updates, the application security becomes patchless.
If legacy software sits in front of important assets, some security teams may turn to virtual patches. With virtual patches, the security enforcement layer analyzes transactions and intercepts attacks in transit. This prevents malicious traffic from reaching the web application. While the application’s actual source code stays the same, virtual patches prevent exploitation attempts.
Virtual patches are useful, scalable and much better than emergency patching. Still, virtual patching does not address all ways in which an attacker might exploit a vulnerability. For instance, a custom rule placed on a web application firewall to block access to an at-risk web page might not protect another web page that makes use of the same code.
IT teams should not rely on virtual patching as a permanent fix. Instead, it can be a bridge to more comprehensive solutions such as legacy software replacement. There’s a reason CISA considers end-of-life software use as exceptionally dangerous behavior. The best thing to do is to begin planning to replace it right away. That way, it will be more likely to have patches for future software vulnerabilities, too.