Vulnerability Patch Management: Cost of Doing Nothing

The failure of organizations to apply an available patch to fix a known software vulnerability, simply put: doing nothing, proves to be costly as new research shows that 60% of breaches in 2019 involved unpatched software vulnerabilities.

The new research “Costs and Consequences of Gaps in Vulnerability Response” conducted by Ponemon Institute for ServiceNow showed that 60% of breaches in 2019 could have been prevented by more timely patching.

What Is a Patch?

A patch is a piece of code inserted into a computer program or software. Patches are typically inserted into existing software to improve the functionalities. Patches are also inserted into existing software to fix known security vulnerabilities.

According to Ponemon Institute, it takes an average 43 days to see a cyber-attack once a patch is released to the public for a critical or high priority vulnerability, while it takes an average 169 days to see a cyber-attack once a patch is released for a medium or low vulnerability.

The Costs and Consequences of Gaps in Vulnerability Response study showed that delays in vulnerability patching were caused by the following:

  • Not having enough resources to keep up with the volume of patches;
  • Not having a common view of applications and assets across security and IT teams;
  • Not able to take critical applications and systems off-line so they can be patched quickly; and
  • Difficulty in prioritization.

The study conducted by Ponemon Institute also found that software vulnerability management or timely patching is hampered as this has to be coordinated with other areas of the organization, resulting in an extra 12 days before a patch can be applied.

Costly Failure to Patch Known Vulnerabilities

The Equifax data breach, one of the biggest recorded data breach which affected 148 million consumers – majority of whom were from the U.S. and some from Canada and the U.K. , was caused by the failure to timely patch a known software vulnerability. CVE-2017-5638 vulnerability, the origin of the Equifax data breach, is rated critical with a CVSS base score of 10.

CVSS, short for Common Vulnerability Scoring System, is a free and open industry standard for assessing severity of software vulnerabilities. The National Vulnerability Database (NVD), which provides CVSS scores for almost all known vulnerabilities, ranks vulnerabilities from 0 to 10, those with CVSS base score of 0.0 to 3.9 score categorized as low; CVSS base score of 4.0 to 6.9 as medium; and CVSS base score of 7.0 to 10 as high or critical.

CVE-2017-5638 is a security vulnerability in Apache Struts, a free and open-source framework used to build web applications by many organizations, including Fortune 100 companies. The vulnerability allows remote code execution, enabling an attacker to gain access into someone else’s computer and make changes to this computer regardless of where this computer is geographically located, provided that this vulnerable computer is connected to the public internet.

Apache Software Foundation, the organization behind hundreds of open source projects such as Apache Struts, publicly released on March 7, 2017 a patch that fixes this vulnerability. On March 8, 2017, a day after Apache Software Foundation released a patch to the vulnerability, a proof of concept that demonstrates the attack scenario was made publicly available.

A report released by the U.S. House of Representatives Committee on Oversight found that Equifax used and failed to patch the said vulnerable software on its web application called “Automated Consumer Interview System (ACIS)”. The report said that the attackers exploited the vulnerability in ACIS, leading to a 76-day long cyber attack on Equifax network.

According to the report, the unpatched Apache Struts used in the company’s ACIS allowed the attackers to locate a file containing unencrypted credentials, including usernames and passwords. These unencrypted credentials allowed the attackers to gain access to the company’s internal databases, containing personally identifiable information of the company’s consumers.

Vulnerability Patch Management

The Equifax data breach is just one of the many examples of the costly effect of failing to timely patch software vulnerabilities.

One characteristic of an effective vulnerability patch management program is giving priority to patching vulnerabilities that pose the most immediate risk to your organization’s network. As shown in the case of the Equifax data breach, it’s important to prioritize critical vulnerabilities, specifically those with CVSS base score of 7.0 to 10. Security vulnerabilities that allow remote code execution – vulnerabilities that allow attackers to access and make changes to computers connected to the public internet and which normally receives a high or critical CVSS base score – should be prioritized.

In addition to patching vulnerabilities with high or critical CVSS base scores, it’s also important to prioritize patching critical IT infrastructure such as server operating systems. Cyber criminals, in particular, zero-in to unpatched server operating systems as an attack entry point.

The WannaCry cyber-attack which affected hundreds of thousands of computers in less than 24 hours on May 12, 2017, for instance, exploited computers that didn’t apply Microsoft’s patch for CVE-2017-0143, a remote code execution vulnerability that exists in the way Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests, enabling an attacker to execute code on the target server. This vulnerability affects Windows Server 2016, Windows Server 2012, Windows Server 2008, Windows 10, Windows 7, Windows 8.1, Windows RT 8.1 and Windows Vista. CVE-2017-0143 receives a CVSS base score of 8.1.

Don’t have time or resources to proactively manage and patch your IT systems? Avoid costly mistakes.

Call us today at (416) -920-3000 or email and out experts will be happy to help.

Leave a Reply

Your email address will not be published. Required fields are marked *