A robust patching regimen is a pillar of “Cybersecurity 101.”
“But sometimes, believe it or not, that is such a basic task that it gets overlooked. For instance, checking the oil in your car frequently is a must, but that doesn’t mean people always remember to do it, even people who should know better,” says Raymond Peters, a cybersecurity researcher in Winnipeg, Manitoba.
Patching is essential to risk management
Frequent patching is something that every MSP needs to practice. “Not having a patching program as part of a basic risk management strategy is bad business for MSPs and is essentially rolling out the welcome mat for cybercriminals,” Peters warns.
The United States Cybersecurity and Infrastructure Agency (CISA) is one of the best clearinghouses for the latest vulnerabilities that can usually be remediated by patching.
“I always tell my clients to monitor CISA each day,” says Peters. He advises that such a simple exercise can keep a security professional armed with the most current information.”
CISA recently added 36 vulnerabilities to its catalog, vulnerabilities that enterprising hackers could exploit. The vulnerabilities are seen across various software and hardware, most from well-known IT names, including Microsoft, Google, Adobe, Cisco, and NETGEAR.
With the addition of these vulnerabilities, CISA issued a stern warning:
CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice.
CISA update includes new vulnerabilities
Among the new vulnerabilities highlighted by CISA in its recent update are those present in Microsoft products including CVE-2012-4969.
“CVE-2012-4969 is a vulnerability in Explorer that is particularly troublesome,” Peters explains, because it allows remote code execution. Another especially bothersome one is CVE-2013-1331, which is a buffer overflow vulnerability in Office that gives hackers the tools to launch remote attacks.”
Another CISA catalog entry is CVE-2012-0151, a glitch in the Authenticode Signature Verification function in Windows.
“0151 allows user-assisted attackers to execute remote code. Any tool that allows hackers to operate remotely will cause problems,” Peters warns. The same remote execution of code has been found in Google’s Chromium V8 Engine. “If left unpatched, these allow attackers to execute code that they could exploit to access networks remotely.”
Some Adobe vulnerabilities have also been added to the CISA catalog, which is worrisome.
CVE-2009-4324 is a flaw in Adobe Acrobat and Reader, allowing remote attackers to execute code via a crafted PDF file, while CVE-2010-1297 is a memory corruption vulnerability in Adobe Flash Player.
“1297 allows remote attackers to execute code or cause a denial of service, which can then be used as a smokescreen to cause other issues,” Peters advises.
Statistics show vulnerabilities can be prevented
Peters says many of these potential problems can be prevented by simply following a solid patching program, and statistics bear that out.
According to the Ponemon Institute, 57 percent of cyberattack victims report that their breaches could have been prevented by installing an available patch. Even more chilling, 34 percent of those victims knew of the vulnerability but hadn’t taken action.
“It is inexcusable, just like having a car engine freeze up because you haven’t been checking the oil. It’s the same thing with patching,” Peters says.
Steps for good patching hygiene
Given the increased CISA warnings over unapplied patches, Peters recommends that all MSPs review their patching programs and consider implementing some of the following steps:
- Patching party: “You don’t have to have a `patching party,’ but you at least need to network,” Peters explains. “Talk to other MSPs, colleagues, and cybersecurity professionals to see what they are patching. Subscribe to CISA bulletins. Monitor Twitter. In other words, make sure you are staying ahead. It’s far easier to prevent a problem than clean up one.”
- Patching audit: Peters recommends that MSPs routinely audit software to ensure they are patched regularly. “Have a routine checking in of each software program you are using to make sure there are no new patches that have to be applied,” he says
- Patch automation: “I know a couple of IT guys who still walk around with a notebook reminding them of when and where to patch. While I guess do whatever works for you, that seems like insanity in today’s IT-staff-stretched world, instead, I recommend automation,” Peters advises, adding that there are programs out there that allow you to automate almost the entire time-consuming patch process.
- Patch testing: Patching should be tested whenever possible. An incorrectly applied patch can cause a different set of problems than one that isn’t applied.
Photo: MR Gao / Shutterstock