visit
As technology develops and grows, so do cyberattacks. The National Cyber Security Centre (NCSC), between October 2016 and the end of 2017, and 762 less serious incidents. And the problem continues to ramp: reports “attack volumes increasing across all industries between 2018 and 2019 and the most common attack types accounted for 88% of all attacks: application-specific (33%), web application (22%), reconnaissance (14%), DoS/DDoS (14%) and network manipulation (5%) attacks”.
This year is not an exception. Hackers exploit the COVID-19 panic to create websites posting ‘official’ COVID-19 information but actually acting as malware or trying to steal user’s personal data. Organizations cannot wait for a punch card with a patch. They need . Let’s take a closer look at the most known vulnerabilities that impacted the businesses dramatically.
is a vulnerability in the OpenSSL cryptographic library. The Heartbleed bug allows an attacker to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
VMware Case
According to the , more than 50% of vCenter servers and ESXi hypervisors were not patched and remained unprotected three months after the patch was released. If you look at the “” section, you surely will be surprised. How much time do we need to finally get rid of Heartbleed?
Source:
Conclusion
Various compliance standards and strictly shrink the patching window. Now in most cases, within 30 days to remain compliant. Years ago (“Some industrial sectors require 99.999% or greater ICS uptime. This requirement relates to 5 minutes and 35 seconds or less allowable downtime per year for any reason, making unscheduled patching out of the question.”). These days everyone needs this level of uptime no matter what industry it is. Before, was just a recommendation, but now the lack of it means non-compliance.
is a privilege escalation vulnerability. If exploited, the vulnerability allows an attacker to run commands remotely. Shellshock is an example of arbitrary code execution (ACE) vulnerability. It can be easily exploited through web applications running on a vulnerable server.
Yahoo Case
It sounded like a joke but it wasn’t when using the Shellshock vulnerability. Like many major companies, Yahoo has a bug bounty program spending a lot of money not only on inside threats monitoring systems but inviting external sources, specialists, and experts.
Conclusion
From the , we can see that time spent on monitoring systems for threats and vulnerabilities grows each year (127 hrs and 139 hrs spent weekly in 2018 and 2019 respectively). Add here time spent on applying patches, documenting, coordinating, and reporting and you can see how the total (both in time and money) spent annually on vulnerability management can skyrocket. The numbers tell the stories best.
Source: The “Cost and consequences of gaps in vulnerability response” report (independently conducted by )
Source: The “Cost and consequences of gaps in vulnerability response” report (independently conducted by )
The possible damages to individuals, businesses, and industries heavily in development, audit, testing, and security. But can you imagine that you just can pay once and stay safe by getting patches against all known and new vulnerabilities without a need to investigate, schedule, apply, and reboot?
exploit critical vulnerabilities in modern processors. They allow an attacker to steal data currently processed on the computer. Most affected are large cloud services and enterprises that process private customer data.
One more critical bug in modern processors, allows stealing sensitive data and keys while the computer accesses them. The attack can affect all Intel’s processors since 2011.
Intel Case
The hysteria around Intel and Meltdown, Spectre, and Zombieload has now calmed down a bit but was like two tsunami waves back in 2019. : 100 million servers, 600 million PCs, and about 1.7 billion smartphones were vulnerable.
Source: ITCandor,
This equates to billions of reboots. Although most companies using Intel’s chips quickly applied their patches the bad taste lingered.
Conclusion
One vulnerability can seriously damage a company’s operations and reputation as it happened with Intel. , , Meltdown and Spectre.
Disciplined patch management has become more critical as the number of vulnerabilities continues to increase. The consequences of being shortsighted or lax in the process become more and more devastating. If you have a good security policy, the right tools, and people who know how to manage them you can minimize risks.
Even better if you have a toolset that automates the process and applies patches to infrastructures while they are operational. and tell us what you think.