The Risks of Poor Patch Management
We all neglect things we know we shouldn’t, like a yearly physical with a healthcare provider. When the time rolls around, you tell yourself you’ll make an appointment when you’re less busy, that you feel fine so there’s no need, or concoct another story that lets you put off what you know you shouldn’t. While your excuse may feel valid or even logical at the time, skipping that doctor’s visit can allow health problems to go undetected, potentially leading to serious consequences and even death – all of which might have been avoided had you gone to that appointment.
The simple act of patching software vulnerabilities is much the same. Applying patches quickly and often can go a long way toward preventing disastrous consequences like cyberattacks and the ensuing high costs, often hundreds of thousands of dollars, of cleanup after a breach. However, like the doctor’s visit, security teams might delay patching because of other priorities, limited staff, or another reason that feels logical at the time.
The cost of not patching
Unpatched vulnerabilities that can be exploited by threat actors can be extremely costly, given that the average global data breach cost in 2022 was $4.35 million, up 2.6% compared to 2021. Even more jarring is that 57% of cyberattack victims said their breach was due to unpatched vulnerabilities, and 34% knew of the vulnerability but failed to apply patches in time.
And time is not on the side of security professionals. A Palo Alto Networks report found 80% of exploits were made public on average 23 days before their CVEs were published. Adding to that timeline, Edgescan researchers report organizations take an average of 60 days to fix critical vulnerabilities; however, 57% of observed vulnerabilities were two years old, and 17% were at least five years old.
As your organization grows and becomes more dependent on third-party apps, you open yourself up to more potential vulnerabilities. Ensuring systems remain protected requires security professionals to constantly be aware of the latest software updates and threat intelligence related to your company’s applications.
The patching dilemma
To patch or not to patch isn’t quite the question in this case. In today’s world, threat actors launch attacks quickly, often as soon as a vulnerability is discovered and before a patch is released. That means it’s always better and less risky to patch systems immediately to remain protected. However, patches can have unintended consequences, so the timing of patching can be critical when multiple systems need to be considered, and downtime can be triggered.
Consider zero-day patches. Because they are released as fast as possible, they haven’t been as rigorously tested and could unknowingly interfere or conflict with other systems or patches, potentially causing more problems.
Complicating the matter further is that patch management can fail for many reasons. Patches could be incompatible with hardware, laptops and devices might be turned off, or device activity could prevent the installation. Given the ongoing cybersecurity talent gap, patch management strategies can go awry simply due to a lack of manpower or expertise.
Weighing short-term effects like service disruption or the more catastrophic ones, such as unknown system conflicts, against a potential cyberattack is a delicate balancing act, but unpatched systems are a common entry point for threat actors. The wrong decision, poor timing, or an ill-conceived mitigation strategy can have dire consequences, as plenty of
companies can attest to.
Rackspace: Mitigation over patching was the wrong choice
In December of 2022, cloud service provider Rackspace was attacked by the Play ransomware group, which exploited CVE-2022-41080, a known zero-day flaw in Microsoft’s Hosted Exchange email environment. Microsoft, aware of threat actors actively exploiting the vulnerability, released a patch in early November and urged customers to install the updates immediately.
For Rackspace, concerns about service disruption and a decision to rely on a mitigation strategy trumped the importance of applying the patch. That decision allowed Play to access the personal data of 27 Hosted Exchange customers which, in turn, caused service outages for Rackspace customers – the very thing the company was trying to avoid. Rackspace hasn’t said whether a ransom was paid, but the company’s reputation certainly took a hit.
Equifax: Unpatched app leads to one of the biggest payouts
In 2017, US credit reporting agency Equifax experienced a data breach that exposed the personal and sensitive information of approximately 147 million consumers. A patch for the vulnerability, known as CVE-2017-5638, was released in March 2017. Equifax failed to deploy it in time, allowing the hackers to exploit the vulnerability beginning in mid-May through its discovery in July.
The incident led to significant public scrutiny, severe reputational damage, and multiple investigations. Ultimately, Equifax reached a settlement with the FTC, the Consumer Financial Protection Bureau, and 50 US states, which included a payment of $425 million to compensate affected consumers.
Uber, the SEC, and the Department of Homeland Security also reported they had been affected by the same vulnerability.
The Red Cross: A vulnerability and vulnerable people
Nothing demonstrates the depravity of threat actors more than when they go after humanitarian agencies like the International Committee of the Red Cross and steal the personal data of over 515,000 vulnerable people. In this attack, hackers exploited an unpatched vulnerability (CVE-2021-40539) in Zoho’s single sign-on tool and then gained access to the Red Cross’s contact database using offensive security tools, which made the threat actors appear legitimate.
The sophistication of the attack and the obfuscation techniques used to avoid detection are only known to a handful of Advanced Persistent Threat (APT) groups, leading many in the security community to believe it was a state-sponsored attack. In line with that is the fact that the data stolen belongs to missing people, detainees, and others displaced by armed conflicts, migration, or natural disasters. As no ransom was demanded, and no data was deleted, the threat actors appear to have copied and exported the data for their own use.
Increasing Vulnerabilities Require Stringent Patch Management
In Q1 of 2022, over 8,000 vulnerabilities were published in the US’s National Vulnerability Database, a 25% increase from Q1 2021, and a trend likely to continue.
A Positive Technologies study revealed that 84% of companies have high-risk vulnerabilities on their external network, and over half of those could easily be removed if companies simply installed updates and patches, underscoring how critical a single patch can be and how it can significantly decrease your chances of an attack.
Deploying it quickly and with care can stop you from becoming a victim. However, staying on top of an increasing number of vulnerabilities is a challenge, especially for lean teams and SMBs. Cybersecurity companies like CYREBRO can help you overcome the challenge by supplying a constant stream of critical threat intelligence and vendor updates while monitoring your organization 24/7 should any incident threaten your business. With that information, you’ll be able to prioritize vulnerabilities and protect your organization.