Military strategy is about knowing where an opponent’s weak points are and how to take advantage of them. It is the same concept for cyberattacks. External threat actors don’t bide their time chipping away at strong defenses. Instead, they exploit known vulnerabilities such as unpatched operating systems. A single unpatched OS can be the entry point that allows your digital resources to be plundered by an unknown aggressor.
At CYREBRO, we make identifying exploitable weak links a top priority. The first step to securing your network is the realization that weak links can exist anywhere in your network, including the equipment supplied by your ITaaS provider. One of the common culprits of weakness are publicly known information security vulnerabilities and exposures.
A Case Study for Patching
A case in point involved a major incident response case CYREBRO investigated from 2019, in which dozens of POS (Point of Sale) endpoints were infected with WannaCry. WannaCry is one of many malware strains that exploited the CVE-2017-0144 vulnerability, also known as EternalBlue. The patch for this known exploit had existed for more than two years by the time of the attack. In this case, the POS machines used Windows 7 operating systems that had not been updated since their initial deployment. To make matters worse, the POS devices were exposed to the internet and were assigned external static IP addresses. It would prove a lethal combination of circumstances for that particular company.
Patch Management is Critical
It is important to approach the patching and updating of systems and software with a sense of vigilance. Patching is an eternal process as new vulnerabilities are constantly being discovered. What’s more, new feature updates then create additional vulnerabilities. New vulnerabilities uncovered within a given OS are published to a list of known Common Vulnerabilities and Exposures (CVE). According to a report in 2020, CVEs have been on the rise. This upward trend may be attributed to software vendors releasing new code with greater frequency or it simply may be that more people are out there looking for vulnerabilities.
Think of all the devices in your network that host an operating system. Because it only takes a single weak point to crack open your network to an attacker, you need a systematic approach to patch management to ensure that every OS is patched and updated across your IT estate. Missing a critical update on a single machine could spell disaster.
An Unpatched OS Invites Trouble
Failing to patch a CVE is almost the equivalent of using default admin credentials. The default credentials for nearly every IT device are readily available on the Internet, which means the failure to immediately reconfigure them is an open invitation for an unauthorized user. Cybercriminals keep track of newly published CVEs to create code and tools to exploit them. The truth is that unpatched system is easy prey for hacking organizations and the malicious tools they use to perform their dastardly deeds.
Get Rid of the Obsolete
The first step is to stop using operating systems that have been deprecated and are no longer supported. Software companies only support outdated systems for so long as it is just not economically viable to do so. Obsolete software represents one of the most blatant examples of vulnerability, yet too many businesses continue to make use of these systems that should be decommissioned. For instance, Microsoft stopped supporting Windows 7 in January of 2020, yet 16% of all Windows PCs were running the unsupported OS 18 months later. In fact, as of April 2022, there were still more XP machines in operation than Windows 11. Keeping obsolete devices in your production environment is simply asking for trouble.
Only Allow External Access When Necessary
Businesses that lack a proactive approach to cybersecurity management often find themselves putting out fires on a continual basis. Relying solely on your endpoint security solution is not a strategy. An effective plan utilizes a defense-in-depth approach that creates a collective effort to keep threats at bay. For instance, a strict adherence to the principle of least privilege (PoLP) is important for any device, patched or unpatched. This is especially pertinent for internet connected devices. At CYREBRO we have done extensive analysis showing that open and exposed ports are one of the leading causes for cybersecurity incidents. Any port that is not related to necessary web services should be blocked from the internet. For instance, ports 80 and 443 are required for a web or application server but 3389 which allows RDP access should be denied as well as port 445 that services the SMB protocol. Once a port is closed, however, it doesn’t stop someone from inadvertently or purposely opening it. That’s why monitoring is so important. Active monitoring gives you visibility into what is trying to connect to your internet exposed systems.
Harden All Systems
As vital as it is, patch management alone isn’t enough. Security patches are normally released according to a regular schedule such as Microsoft’s infamous ‘Patch Tuesday’ so there is an open gap between when a vulnerability is first discovered and the release of its applied patch. What’s more, your systems are still susceptible to zero-day vulnerabilities. Because patching isn’t perfect, it’s important to harden all your systems by disabling unnecessary ports, services, and features. Only authorized applications should be allowed, and they should be locked down if possible, using allow lists. Privileged account users should use separate accounts to check email and surf the web from the accounts utilized to perform privileged tasks on critical systems. If a malware outbreak does occur, workstations and IoT devices should be segmented from critical systems using VLANs and a next-generation firewall.
One of the reasons why businesses continue to use outdated systems is to avoid the cost of replacement. Unfortunately, that is much like saving money by continuing to drive a vehicle that is unsafe to drive. Even a new car requires regular maintenance, however, just as an operating system requires regular patching and updating to remain secure. Because CVEs are so prevalent today, patching efforts should be monitored to ensure that exploitable weak points are eradicated. These collective steps make up the insurance that one day will potentially save you the expense of recovering from a cyberattack that can easily cost over $1 million. Hackers and cybercriminals are aware of your weaknesses, which means you should too. The steps required to eliminate those weaknesses will save you both money and hardship in the long run.