Is Neglect Driving the Surge in Cybersecurity Breaches?

​More and more companies are experiencing ransomware attacks.

Ransomware victims have included Colonial Pipeline, JBS and Kia. In each case, the company was locked out of vital systems and suffered outages, and their IT teams had to scramble for many hours to enable the workforce to return to productivity.

The evidence isn't just anecdotal. The ENISA Threat Landscape 2021 report by the European Union Agency for Cybersecurity discovered a 150 percent rise in ransomware compared to 2020, while a recent Enterprise Strategy Group study found that 48 percent of respondents had been the victim of at least one successful ransomware attack.

Yet there is one simple, basic security action that is found to be neglected inside many organizations—patch management.

According to Kaspersky's latest Incident Response Analytics Report, patch management combined with robust password policies can reduce the risk of cyberattacks on businesses by 60 percent. Patch management alone was found to decrease the risk of experiencing a security incident by 30 percent, the Moscow-based cybersecurity firm found.

"Security issues with passwords and unpatched software combine into the overwhelming majority of initial access vectors during attacks," Kaspersky researchers noted.

Yet patch management remains a weak spot in many organizations. In 31 percent of successful attacks, the vulnerabilities utilized by adversaries are several months old. Quite a few are greater than one year old. These are well-known, widely publicized security holes for which developers have created approved, free patches.

Major vulnerabilities, for example, have been found in Microsoft Exchange, Fortinet, Cisco, VMware and Java. In many cases, patches had been available for months or, in a few cases, years. Yet some IT departments have failed to deploy them. The U.K.'s National Cyber Security Centre's advisory in April 2021 about unpatched Fortinet virtual private networks drew attention to a vulnerability known as CVE-2018-13379 that had existed for two years. The problem remains unremedied in some organizations to this day.

Similarly, the U.S. Cybersecurity and Infrastructure Security Agency's (CISA's) list of the most exploited common vulnerabilities and exposures includes one dating back to 2017 that impacts Microsoft Office. The alert noted that such vulnerabilities represented easy targets for cybercriminals if they remain unpatched. These security flaws make the hacker's job easy as they represent a well-traveled channel into the enterprise and don't require innovation on the part of the criminals.

Other golden oldies include a Citrix NetScaler bug from 2019, a Microsoft Exchange vulnerability found in early 2020 and an Altassian remote code execution bug that is more than a year old. Patches were issued as soon as these holes were discovered.

"Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public- and private-sector organizations worldwide," CISA said. "However, entities worldwide can mitigate the vulnerabilities by applying the available patches to their systems and implementing a centralized patch management system."

Excuses, Excuses 

Ashley Leonard, CEO of Aliso Viejo, Calif.-based security firm Syxsense, said there are many reasons and excuses offered as to why patches are not deployed. They include a shortage of personnel, IT backlogs, lack of training, carelessness, patch-testing protocols taking too long, and missing or inadequate patch management systems.

He urged organizations to implement automated cloud-based patch management. Efficient patch management processes require an automated patching process that encompasses discovery of all devices and systems, approval of patches, distribution of updates, rebooting of systems, and reporting of patching success.

"To install a patch, you might need to obtain permission from the server owner," Leonard said. "If a reboot is required, it has to be scheduled, and when the process is complete, you should be able to prove compliance."

Traditional patch management systems were designed to protect systems within the corporate firewall. The COVID-19 pandemic has accelerated the move away from premise-based patching tools to cloud patch management that can address devices and workloads spread around home networks and dispersed geographies. The latest tools can also patch a wider range of systems, components and operating systems.

"Organizations have traditionally focused on patching operating systems like Microsoft Windows while ignoring the real threat and patch requirements from third-party applications, operating system drivers, Internet of Things devices and network infrastructure," Leonard said. "We are now seeing customers wanting to understand their entire attack surface and patch everything."

Securing Systems

The Kaspersky report offered tips on how to greatly reduce the threat of an attack on enterprise systems. These include a robust password policy, maintaining a high level of security awareness among employees via comprehensive training, implementing an endpoint detection and response solution, and automated patch management.

"Ensure that patch management or compensation measures for public-facing applications have zero tolerance," the report authors advised. "Regular updates of vulnerability details from software vendors, scanning the network for vulnerabilities and patch installations are crucial for the security of a company's infrastructure."

Drew Robb is a freelance writer in Clearwater, Fla., specializing in IT and business.