The Risks and Consequences of Lax Patch Management

cybersecurity analysis

Although software patches can be inconvenient and cumbersome for both enterprises and individual users, these fixes serve an important role in protecting computer systems, which are now vital to everyday life.

Earlier this month, a woman with a life-threatening condition passed away after hackers crashed the IT systems of a major hospital in the city of Dusseldorf.

The emergency patient could not be admitted for treatment because the Duesseldorf University Clinic could not access data after its systems had been disrupted for a week by an apparent ransomware attack. As a result, the woman was sent to a hospital 20 miles away, where doctors were not able to begin treatment for another hour. She subsequently died.

To sabotage the hospital systems, the hackers exploited a Citrix ADC CVE-2019-19781 vulnerability, which can let attackers execute their own code on hacked servers. The “misdirected” attack reportedly was originally intended for Heinrich Heine University, according to an extortion note from the hackers.

Citrix issued a patch for the vulnerability on January 24, but it appears that the hospital had not yet installed the fix.

The same Citrix vulnerability was exploited on September 9 to attack the servers of Italian eyewear giant Luxottica Group, according to Italian cybersecurity firm SecurityOpenLab. That attack forced Luxottica to shut down operations in Italy and China.

Cybersecurity Priorities

Incidents like this raise the question of why corporations do not patch vulnerabilities as soon as software manufacturers issue a fix.

“Too many organizations are overly dependent on scanners to discover what needs to be patched,” Chlo Messdaghi, VP of Strategy at Point3 Security, told TechNewsWorld. These “provide only the extreme bare minimum of information.”

Many scanners are not up to date and don’t prioritize issues, Messdaghi said. “They can’t provide a trustworthy view into what’s critical to patch immediately, what may be a lower priority but requires timely action, and what may have less risk.”

Even when IT staff patch vulnerabilities, they may not fully test those patches, she pointed out.

On the consumer side, users employ the same passwords on multiple sites or fail to implement basic cybersecurity measures such as installing antivirus or antimalware software, updating that software and their operating systems in a timely manner, and refraining from clicking on links embedded in, or attachments to, emails whose sender they have not verified, or links on web pages they visit.

“Time and again, users have proven they’ll disregard expert advice, reuse credentials, and select simple passwords,” Dan Piazza, Technical Product Manager at cybersecurity firm Stealthbits Technologies, told TechNewsWorld.

Using passwords across multiple accounts is widespread, the United States Federal Bureau of Investigation stated in a private industry notification to the financial sector earlier this month.

“Successful attacks occur more often when individuals use the same password or minor variations of the same password for various online accounts, and/or…use login usernames that are easily guessed, such as email addresses or full names,” the U.S. Securities and Exchange Commission said in a risk alert issued on September 15.

Self-Enforcement at Every Level

Users’ failure to follow simple security procedures has long vexed cybersecurity experts and vendors.

In 2004, Microsoft’s then-CEO Steve Ballmer called on individual users to take responsibility for their own cybersecurity. In 2010, Cisco Systems asserted that cybersecurity is everyone’s responsibility.

High-tech and cybersecurity software vendors, banks, and other organizations have been trying to get consumers to follow basic rules to protect their cybersecurity for years, but “Companies should now assume users will act against their best interests when it comes to credentials, and start forcing good habits for passwords and security,” Stealthbits’ Piazza advised.

Piazza recommended that firms trying to protect their networks against breaches consider real-time threat detection and response solutions and password policy enforcement software because “Convincing users to adhere to credential best practices is an uphill battle, so companies should start forcing good habits programmatically.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, on September 18 took a step toward enforcing vulnerability patching when it released an emergency directive strongly recommending both the public and private sectors patch a critical vulnerability in Microsoft Windows Netlogon Remote Protocol called CVE-2020-1472.

The Netlogon vulnerability, for which Microsoft issued a patch in August, could let attackers take over domain controllers on a victim’s network.

CISA gave public sector IT departments the weekend — until midnight September 21 — to install the patch, remove domain controllers that could not be patched, and implement technical and management controls.

It’s “virtually inevitable” that some public sector systems will fall through the cracks, Saryu Nayyar, CEO of cybersecurity firm Gurucul, told TechNewsWorld. “Even the best run environments have strays.”

As for the private sector, “It’s likely that some organizations will weigh the organizational costs and delay addressing this directive based on assumed risk or resource concerns,” Nayyar added. Private companies may be forced to patch the Windows Netlogon flaw.

On February 9, 2021, Microsoft will begin to enforce new settings that will improve the security of the Netlogon Remote Protocol, Joe Dibley, security researcher at Stealthbits Technologies, told TechNewsWorld. The flaw will have to be patched first.

Corporate Responsibility

“Nearly all organizations have processes and procedures for ensuring their Windows systems received patches in an automated and timely matter, but very few have strategies for any other products in their environment,” Chris Clements, VP of Solutions Architecture with managed security services provider Cerberus Sentinel, told TechNewsWorld. “The state of patching for network appliances is often abhorrent, simply because the responsibility hasn’t been clearly defined.”

That said, corporations “can absolutely be made to take more responsibility for their own cybersecurity,” Mounir Hahad, head of Juniper Threat Labs, told TechNewsWorld.

On the consumer side, users pay lip service to cybersecurity, an online survey of 1,000 people across the U.S. conducted in May by professional network services and accounting firm KPMG found.

About 75 percent of the respondents consider it risky to use the same password for multiple accounts, use pubic WiFi, or save a card to a website or online store, but more than 40 percent do these things, according to the survey.

“Consumers are their own last line of defense when it comes to cybersecurity,” Stealthbits’ Piazza remarked. “Although businesses and governments have a responsibility to protect sensitive data in their possession, ultimately consumers can ensure their digital well-being by following cybersecurity best practices themselves.”

“When new security features are added to a website or software, users are typically only OK with them if they’re not impeded in any way or if they can see an immediate, tangible benefit.

“Most best practices for personal cybersecurity don’t come with strong, immediate motivating factors for consumers unless they look at the big picture,” Piazza said.

The consumer is not to blame, Juniper’s Hahad contends. “Cybersecurity professionals would like to enlist the help of consumers in limiting or mitigating cybersecurity risk, but we cannot hold them responsible for things they do not understand,” he said.

The onus, in his view, is on businesses to ensure cybersecurity for themselves and consumers.

Higher Standards for Passwords

“We would like consumers not to keep default passwords, but we’d rather require companies not to allow default passwords to persist,” Hahad said.

“We can ask consumers to choose stronger passwords, but we’d rather have services refuse a weak password. We can ask consumers not to reuse passwords, but we’d rather have a consortium checking passwords are not being reused across sites or services,” he explained.

One way around this is to implement privacy by design, which is the new normal when designing software, websites, and services, Piazza commented.

“While consumers can’t be legally forced to follow security best practices, government regulations will force organizations to employ better safeguards, which in turn will result in more enforced policies surrounding user password selection, the use of multifactor authentication, and other aspects of the consumer authorization workflow,” he concluded.

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels