Research: half the companies patch vulnerabilities during the month - why?
Researchers at Kollective, a company engaged in the development of software-defined content delivery networks, conducted a survey among two hundred American and British organizations. They found that almost half of the companies needed a month to close a known vulnerability. Let us tell why this is happening, and what can be done about it.
/ PxHere / the PD
Kollective survey was conducted among the heads of IT departments. 45% of respondents from large corporations (which have more than 100 thousand network terminals) answered that they need approximately 30 days to install a patch. Another 27% said that sometimes it takes several months to install updates.
In the face of a growing number of cyber threats, this approach seems unacceptable. According to Symantec, last year the number of ransomware attacks increased by 36%. At the same time, it is known that more than 230 thousand malware samples appear every day .
In this regard, over the past two years, the time to install the patch, which the company has before the attackers take advantage of the vulnerability, has decreasedby 29%. However, a simple security update is still one of the most effective ways to protect. In many data hacks and mergers, hackers exploit vulnerabilities for which a patch has already been released.
ServiceNow surveyed 3,000 security specialists from around the world and found out that 56% of companies could have avoided information overflow in the past if they had installed the update in time. An example would be the massive theft of personal data from Equifax in the United States. Then the network leaked PD more than 140 million Americans.
This incident could have been avoided if the experts of the credit bureaus set the patch in time. Hackers exploited a vulnerability in the Apache Struts framework ( CVE-2017-5638) associated with an error in exception handling. A patch for this vulnerability was released two months before the attack on Equifax.
1. Shortage of staff. Information security departments suffer from a lack of qualified specialists. According to the non-profit organization ISACA, by 2019 there will be a shortage of information security personnel in the industry. Shortage will be approximately 2 million people.
This already directly affects the protection of organizations against cyber attacks. In a 2016 McAfee study , a quarter of respondents said that the lack of information security experts at their company caused data leaks.
2. Inefficient patch management.However, expanding the staff of information security professionals in a company does not always lead to an increase in the reliability of the IT infrastructure. In ServiceNow, it is noted that there is no need to wait for security enhancements until the patching business processes are modified.
The speed of closing vulnerabilities affects a large number of manual processes. There are companies that still use Excel to manage the patch. One company from the Fortune 100 even formed a whole department of employees responsible for managing spreadsheets with data about vulnerabilities - they write there, is there a patch, who installs it, etc.
According toMark Micro of Mark Nunnikhoven, vice president of cloud research at Trend Micro, the lack of automating the process of updating IT systems in companies was one of the main reasons for the widespread use of WannaCry.
3. The difficulty of prioritizing updates. According to the publication of the CSO, another reason for the slow upgrade of systems is too many patches. Security professionals find it difficult to prioritize and decide which ones need to be set before others. Even in the case of Specter and Meltdown, experts expressed opposite opinions: some experts suggested waiting, while others were in a hurry to install patches quickly.
The situation is complicated by the slow completion of databases with vulnerabilities. By August of this year, more than 3,000 threats from those that were found from January to June 2018 did not hit CVE and NVD databases . Almost half of them received the highest danger rating on CVSSv2.
4. The complexity of the installation. The company Barkly conducted a survey on the installation of updates Meltdown and Specter among security specialists. 80% of respondents considered the process of installing patches to close vulnerabilities in Intel chips "unclear".
1. Automate the installation of patches. Automating the upgrade process simplifies the task for administrators and end users. The system itself downloads patches from the Internet, and the system administrator remains to monitor the installation process. This is especially important for cloud providers, as they manage a huge number of "machines".
There are tools (for example, HPE Server Automation) that centrally update the operating systems on the data center servers. They allow you to select the necessary patches offered by the OS vendor. Even with their help, you can customize the installation process itself, for example, to exclude updates that are not suitable for a particular environment.
2. Educate employees.People play an important role in ensuring data security. Therefore, it is necessary to raise the awareness of IT specialists and ordinary employees of the company, to invest money and time, at least, in conducting basic cyber-hygiene courses.
/ Flickr / Kelly / CC
In general, a variety of methods can be used to better assimilate knowledge about data security, for example, gamification. The Australian division of PricewaterhouseCoopers conducts the Game of Threats game among its customers when teams of “hackers” and “system defenders” compete in a special simulator.
3. Invest more in cybersecurity. According to Gartner, in 2018, the cybersecurity costs of organizations will increaseby 12.4% compared with last year. Firms will spend more money on process automation and new data protection technologies so that information security professionals can work more efficiently.
Slow installation of security updates is a system problem. And, probably, it will deliver "inconvenience" for quite a long time, especially in light of the discovery of new major vulnerabilities of processors, for example, Foreshadow . However, if more companies start to install patches quickly, this will have a positive effect on the entire ecosystem and significantly reduce the number of leaks of personal data. Similar to the one that happened with Equifax.
/ PxHere / the PD
Companies install patches too long
Kollective survey was conducted among the heads of IT departments. 45% of respondents from large corporations (which have more than 100 thousand network terminals) answered that they need approximately 30 days to install a patch. Another 27% said that sometimes it takes several months to install updates.
In the face of a growing number of cyber threats, this approach seems unacceptable. According to Symantec, last year the number of ransomware attacks increased by 36%. At the same time, it is known that more than 230 thousand malware samples appear every day .
In this regard, over the past two years, the time to install the patch, which the company has before the attackers take advantage of the vulnerability, has decreasedby 29%. However, a simple security update is still one of the most effective ways to protect. In many data hacks and mergers, hackers exploit vulnerabilities for which a patch has already been released.
ServiceNow surveyed 3,000 security specialists from around the world and found out that 56% of companies could have avoided information overflow in the past if they had installed the update in time. An example would be the massive theft of personal data from Equifax in the United States. Then the network leaked PD more than 140 million Americans.
This incident could have been avoided if the experts of the credit bureaus set the patch in time. Hackers exploited a vulnerability in the Apache Struts framework ( CVE-2017-5638) associated with an error in exception handling. A patch for this vulnerability was released two months before the attack on Equifax.
Why delay updates
1. Shortage of staff. Information security departments suffer from a lack of qualified specialists. According to the non-profit organization ISACA, by 2019 there will be a shortage of information security personnel in the industry. Shortage will be approximately 2 million people.
This already directly affects the protection of organizations against cyber attacks. In a 2016 McAfee study , a quarter of respondents said that the lack of information security experts at their company caused data leaks.
2. Inefficient patch management.However, expanding the staff of information security professionals in a company does not always lead to an increase in the reliability of the IT infrastructure. In ServiceNow, it is noted that there is no need to wait for security enhancements until the patching business processes are modified.
The speed of closing vulnerabilities affects a large number of manual processes. There are companies that still use Excel to manage the patch. One company from the Fortune 100 even formed a whole department of employees responsible for managing spreadsheets with data about vulnerabilities - they write there, is there a patch, who installs it, etc.
According toMark Micro of Mark Nunnikhoven, vice president of cloud research at Trend Micro, the lack of automating the process of updating IT systems in companies was one of the main reasons for the widespread use of WannaCry.
3. The difficulty of prioritizing updates. According to the publication of the CSO, another reason for the slow upgrade of systems is too many patches. Security professionals find it difficult to prioritize and decide which ones need to be set before others. Even in the case of Specter and Meltdown, experts expressed opposite opinions: some experts suggested waiting, while others were in a hurry to install patches quickly.
The situation is complicated by the slow completion of databases with vulnerabilities. By August of this year, more than 3,000 threats from those that were found from January to June 2018 did not hit CVE and NVD databases . Almost half of them received the highest danger rating on CVSSv2.
4. The complexity of the installation. The company Barkly conducted a survey on the installation of updates Meltdown and Specter among security specialists. 80% of respondents considered the process of installing patches to close vulnerabilities in Intel chips "unclear".
“When Meltdown and Specter appeared, there was no convenient test utility to identify these vulnerabilities. Over time, utilities began to appear, but it was impossible to guarantee their reliability, - says Sergey Belkin, head of the development department at 1cloud . - Later, Microsoft offered a method of verification, but it was also quite complicated. But then there were solutions (in particular, for a number of Linux distributions ), which allowed to find out whether Meltdown and Specter are affected or not, with a single command in the console. ”
How to increase the speed of updates
1. Automate the installation of patches. Automating the upgrade process simplifies the task for administrators and end users. The system itself downloads patches from the Internet, and the system administrator remains to monitor the installation process. This is especially important for cloud providers, as they manage a huge number of "machines".
There are tools (for example, HPE Server Automation) that centrally update the operating systems on the data center servers. They allow you to select the necessary patches offered by the OS vendor. Even with their help, you can customize the installation process itself, for example, to exclude updates that are not suitable for a particular environment.
2. Educate employees.People play an important role in ensuring data security. Therefore, it is necessary to raise the awareness of IT specialists and ordinary employees of the company, to invest money and time, at least, in conducting basic cyber-hygiene courses.
/ Flickr / Kelly / CC
In general, a variety of methods can be used to better assimilate knowledge about data security, for example, gamification. The Australian division of PricewaterhouseCoopers conducts the Game of Threats game among its customers when teams of “hackers” and “system defenders” compete in a special simulator.
3. Invest more in cybersecurity. According to Gartner, in 2018, the cybersecurity costs of organizations will increaseby 12.4% compared with last year. Firms will spend more money on process automation and new data protection technologies so that information security professionals can work more efficiently.
What's next
Slow installation of security updates is a system problem. And, probably, it will deliver "inconvenience" for quite a long time, especially in light of the discovery of new major vulnerabilities of processors, for example, Foreshadow . However, if more companies start to install patches quickly, this will have a positive effect on the entire ecosystem and significantly reduce the number of leaks of personal data. Similar to the one that happened with Equifax.