Why are so many organizations struggling to patch? [Q&A]
Many recent cyber attacks like WannaCry have succeeded by exploiting vulnerabilities that, although known, have gone widely unpatched.
Why do some organizations find it so difficult to keep their systems up to date and what can they do to better protect themselves? We spoke to Wendy Nather, principal security strategist at Duo Security to find out.
BN: Despite the industry evangelizing the importance of updating software and patching, it's evident that it's not always happening -- why is this?
WN: There are lots of reasons why organizations may be struggling to update software and patch systems. Many organizations simply don't have the manpower and resources required to carry out updates to their software every week and many don't possess the expertise to troubleshoot any problems which could arise. Additionally, their business may require operational availability at the expense of patching. For example, retailers tend to implement a change freeze between October and January so peak holiday shopping periods aren't affected.
BN: What advice can you give organizations, in the short term, that simply can't update to the latest software?
WN: If an organization is unable to regularly patch its systems, it's imperative to do as much as possible to make them more resilient. For example, maintaining frequent backups and conducting data backup integrity testing, along with implementing a disaster recovery and emergency operations plan are all good practices to follow.
BN: How much of this boils down to money? Are there innovative ways that organizations without the biggest budgets can protect themselves?
WN: In the immortal words of Tom Gray of rock band The Brains, "Money Changes Everything." If you are an organization below the Security Poverty Line, all sorts of dynamics come into play that make it harder for you to secure your technology. If you can't afford to run your own systems, you end up relying on third parties; if you can't afford expert staff, you may not even know what risks you’re facing, much less how to address them. As a small enterprise without much influence, you can’t force vendors to patch their security vulnerabilities.
Having said that, if you don't have a large budget for security, you can still make up some of the difference by being very disciplined about how you run your IT. Know what you have, where it is, and what's happening on it. If you're in a position to choose new platforms and software, you'll be better off with a carefully chosen, reputable service provider rather than trying to do it yourself. Just make sure that the service includes regular patching, and make sure it doesn’t conflict with your business requirements.
If you have legacy IT infrastructure, one of your ongoing projects should be to move gradually towards a more sustainable and flexible base. This will take years, but it's never too early to start planning for it.
BN: What practical measures should the industry be taking to support organizations that are struggling?
WN: On the practical side, security vendors should be designing their products not just for those customers with the largest budgets, but also for those that have little to no budget, and those without security expertise. The industry must recognize that a "one size fits all" approach to prescriptive security does not serve all of the enterprise shapes and sizes. The unwritten assumption that software can and should be continually updated just doesn’t work for many industries.
Another part of the problem is that it's impossible for small companies to afford the level of security that we think they need. Financial assistance, such as the device buy-back program proposed recently in the US (in which the government purchases old devices in the healthcare sector) don't address the bigger issue that these devices were not built to be updated to begin with, and that they may well be replaced with devices which will themselves need to be replaced a few years down the line. We need to break the update addiction cycle, not exacerbate it.
Additionally, regulations only work if they're based on an understanding of the dynamics behind the situation we're in. We need a task force to look at underlying root causes rather than symptoms. Economic, technological and business imperatives drive whether a vendor even patches a flaw, as shown by Microsoft's decision to release patches for unsupported OSs in the wake of WannaCry.
BN: What are your predictions for the future -- can we make any real and lasting changes?
WN: The impact of the WannaCry and NotPetya attacks has given us added impetus to examine the wider issues around patching. In the future, we'll likely see more attempts to add both carrots and sticks to improve the practice, but we should also question the fundamental assumption that enterprises can and should be patching all the time. Campaigns to make software more secure from the beginning are critical, and software liability is a topic that we will continue to explore, in conjunction with cyber insurance providers. Sadly, these won't be the last attacks of this scale we see, so we need to learn the lessons of the past and ensure that safe software and effective security aren't just for the most well-resourced or agile organizations.