5 Systems You're Forgetting To Patch

While many security advocates would likely argue that today's organizations still have lots of work to do with their endpoint patch management practices, many organizations have automated their Windows system updating procedures and are slowly dialing in their third-party application patching. But even with that progress being made, there is a whole rag-tag class of systems--many of them extremely critical--that frequently run unpatched and ridden with vulnerabilities.

Some of them lay exposed because vendors are slow putting out patches, others because the updating process could threaten mission critical operations with downtime and still others because administrators simply aren't paying attention. Whatever the reason, systems like the five below must be added to patch management policies lest organizations risk costly compromises.

[What are the hidden costs of compliance? See The Compliance Officer's Dirty Little Secret.]

1. Devices Using Java

According to Cameron Camp, researcher for ESET, there's a disturbing lag on security updates to Java these days due to the widespread adoption of the platform in applications outside the traditional OS updating schema.

"Given that Java is estimated to be implemented on three billion devices, the potential impact can be high and we've seen an increase in Java-based exploits where the updates have long been available, but weren't implemented," he says.

As Java gains prominence in the mobile world and within embedded devices, organizations have got to figure out a way to keep their devices updated.

"Since Java is implemented in everything from mobile devices to corporate video conferencing hardware, be careful to cover the devices you may not typically think about, but may be networked and need protection," he says.

2. Printers

After a demonstration by researchers from the Intrusion Detection System Laboratory at Columbia University showed how vulnerabilities in HP printers could be remotely exploited to destroy the printers, propagate malware inside the firewall and otherwise wreak havoc in a corporate environment, HP released 56 different fixes for its printers earlier this year.

As important as these firmware updates are, more than seven months later just one- to two percent of the affected devices have been patched by their users, according to research reported by The Guardian.

Meanwhile, a whitepaper published in July further solidified the argument for stronger printer patch policies. Researchers with Finnish firm Codenomicon showcased their in-depth work using fuzzers against six different printers to yield high risk exploits that in the real world would expose organizations to data theft and total network compromise.

"A network is only as secure as its weakest element. Based on our research, that weakest element is a network printer," the paper read. "Network printers are especially vulnerable because they have a broad attack surface and they are often designed with little consideration for security."

3. Routers

The easily exploited and extremely risky vulnerabilities in Huawei routers outlined by researchers with Recurity at Def Con last month reopened the debate about how much network routers can open an organization up to attack. It's a topic that Recurity kicked off in 2009 with a different Black Hat demonstration of Cisco router exploits and one which some in the industry have endeavored to bring awareness to.

According to Marta Janus, security researcher for Kaspersky Lab, routers remain susceptible to attack due to slow vendor movement in developing updates to their firmware and even slower progress by organizations to utilize patches once they're released.

"Both users and vendors do not seem to be fully aware of the security issues and do not pay them enough attention," she wrote last year. "Even for firmware bugs that are easily fixed, updates for network devices are at best slow to be released and at worst left unresolved, and users do not usually care or are unaware of how to install these device updates."

Even with a high level of awareness, the difficulty of implementing patches can often lead to organizations letting router "defects persist for years," she says.

4. ERP Systems

This May, researchers from Onapsis announced at the Hack in the Box conference in Amsterdam that of more than 600 SAP systems they tested, 95% of them would be vulnerable to some sort of fraud or sabotage--mostly due to poor patching processes.

Used to connect to some of the most sensitive data an enterprise depends upon, ERP systems are some of the juiciest systems for financially motivated attackers to target. And yet, most organizations today avoid patching their ERP systems due to complexity issues and downtime fears.

"There is a big problem in this ERP security space: More security breaches are being reported and customers need patches to protect themselves from them, but most do not patch their ERP systems enough," says Mariano Nunez, CEO at Onapsis.

5. Databases

Database patch management has been abysmal for years.

"When a given database costs serious amounts of dollars per minute of downtime, the application owners are very reluctant to patch," says Dr. Mike Lloyd, CTO of RedSeal Networks.

According to last year's International Oracle Users Group (IOUG) security survey, fewer than a third of organizations apply Critical Patch Updates to their database systems within one to three months. And approximately one in ten admit to letting database patches slide out past a year and even indefinitely. The statistics back up security professionals' anecdotal evidence from day-to-day dealings with DBAs.

"Customers don't run regular vulnerability scans and don't lock down their databases," says Patrick Bedwell, vice president product marketing for Fortinet. "Also they don't patch the databases to mitigate some of the vulnerabilities."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.