According to the 2021 X-Force Threat Intelligence Index, scanning for and exploiting vulnerabilities was the top infection vector of 2020. Up to one in three data breaches stemmed from unpatched software vulnerabilities. Take a look at this list of vulnerabilities or design flaws with no official Microsoft fix. In any case, one in three might be a low-ball estimate given the increase in unpatched vulnerability attacks. How do defenders stop them?

Attacks have become more diverse over time. For example, some Linux vulnerability attackers don’t want your trade secrets. Instead, they hijack computing resources for cryptomining, which can go on for months before detection. Meanwhile, threat actors can also set up web shells to install ransomware. By maintaining the shell, they can sell remote access to your web server.

The Cybersecurity and Infrastructure Security Agency (CISA) beats the drum about software vulnerabilities and exploits. CISA says, “Foreign cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available.”

In other words, CISA is tired of having to deal with unpatched vulnerability breaches. Some say the lack of patching is due to laziness and neglect. Maybe it’s because security teams don’t have a solid patching plan. So let’s hatch a plan.

Prioritize the Risk

If you were to scan your systems for software vulnerabilities, you might discover hundreds of thousands of open doors. Merged with or acquired a company recently? You just multiplied your risk. For enterprises, the grand total of detected vulnerabilities can number in the millions.

Of course, you can’t patch everything at once. Instead, proper triage is essential. For example, what types of vulnerabilities are nearest to mission-critical systems?

Another factor: you can’t handle this without qualified patchers. Plus, how do you know if a detected vulnerability isn’t a false positive?

Common Software Vulnerabilities and Exposures

Why not target the CISA Top 10 Routinely Exploited Vulnerabilities? While it’s important to be aware of the CVE list, your high-value assets may be exposed to uncommon risk. Also, CISA’s Common Vulnerability Scoring System doesn’t consider weaponized software vulnerabilities , that is, the ones being actively exploited. You need to consider both asset value and weaponization to triage patches.

To minimize false positives, it’s important to use attack correlation, intelligence sources and a risk-based approach. This is not a simple task, and few companies have the right in-house resources. For this reason, some may choose to hire an expert team.

So Little Time, So Many Software Vulnerabilities

For vulnerability patching, the emergency room triage example serves us well. When the ER is full, doctors must decide which patients are critical. Later in the day, the ER may be nearly empty, so the doctor can address less urgent cases. Vulnerability assessment and remediation are similar. And just like the ER never closes, a company needs to audit, monitor and test their software vulnerability profile often.

Remember, your teams might add applications at any moment. So, maintain an up-to-date network inventory and schedule vulnerability scanning. Automated software vulnerability management programs can be a great help here.

Many companies don’t have the time or qualified resources to identify, prioritize and remediate vulnerabilities. Rather than being lazy or negligent, businesses simply find the process overwhelming. Given the high risk involved, many companies decide to contract expert vulnerability mitigation services.

Software Patch Testing

Once your team has identified a software vulnerability, it’s time to test the patch. Perhaps something worse than non-security broke an application due to a botched patch. After patch download, test each patch in a non-production environment.

Remember, with infrastructure becoming more complex, it can be difficult to test a patch in many cases. Some use cloud services as a cost-effective way to create a patch testing environment that mimics your production system.

Software Patch Bundling

Work in bundles when you can. Put another way, test and roll out patches in groups instead of one at a time. Be aware that this tactic carries some risk since an attacker may discover a vulnerability before you apply the patch. For mission-critical assets, bundling may not be the best choice. Still, in some cases, bundling leads to faster patch deployment since you’re rolling out the process according to a plan.

Software Vulnerabilities: Patch Application & Verification

Since it can get confusing, IT teams should stick to a vulnerability database management schedule to keep track of patch deployment. After you apply patches, check your system logs and exceptions to verify correct patching. Also, put a recovery plan in place beforehand in case the patch causes a disaster.

To verify patch success, you can rescan your assets. This should also include checking related network devices, systems or applications for signs of malfunction.

End of Life Software & Virtual Patches

Still have outdated software or operating systems on your network? If so, threat actors can exploit existing or newly-found data protection vulnerabilities. Since old software may lack updates, the application security becomes patchless.

If legacy software sits in front of important assets, some security teams may turn to virtual patches. With virtual patches, the security enforcement layer analyzes transactions and intercepts attacks in transit. This prevents malicious traffic from reaching the web application. While the application’s actual source code stays the same, virtual patches prevent exploitation attempts.

Virtual patches are useful, scalable and much better than emergency patching. Still, virtual patching does not address all ways in which an attacker might exploit a vulnerability. For instance, a custom rule placed on a web application firewall to block access to an at-risk web page might not protect another web page that makes use of the same code.

IT teams should not rely on virtual patching as a permanent fix. Instead, it can be a bridge to more comprehensive solutions such as legacy software replacement. There’s a reason CISA considers end-of-life software use as exceptionally dangerous behavior. The best thing to do is to begin planning to replace it right away. That way, it will be more likely to have patches for future software vulnerabilities, too.

More from Incident Response

How to Start a Career in Cyber Incident Response

Cyber incident response is one of cybersecurity's most interesting and rewarding careers. It’s an in-demand role, and it pays well. But how do you get started? First, let’s start with the basics. What is Cyber Incident Response? Cyber incident response is the preparation for and practice of identifying, containing and ending cyber attacks. A computer security incident response team (CSIRT) within an organization — ideally including the chief information security officer, security operations center staff, executives and representatives from the…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…