Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/25/2020
05:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Missing Patches, Misconfiguration Top Technical Breach Causes

Less than half of businesses surveyed can patch critical vulnerabilities within 72 hours. Why does the process take so long?

Nearly 60% of data breaches in the past two years can be traced back to a missing operating system patch or application patch, researchers report. Poor patch management can be linked to the high costs of downtime and disruption, both of which are magnified in larger organizations and are poised to escalate as businesses rush to support fully remote staff as COVID-19 spreads.

The stat comes from Automox, where a team polled 560 IT and security pros at companies with 500 to 25,000 employees. They learned 81% had suffered a breach in the past two years. Thirty-six percent of those incidents stemmed from a phishing attack, which was the most common root cause, followed by missing OS patch (30%), missing application patch (28%), OS misconfiguration (27%), insider threat (26%), credential theft (22%), and brute force (17%).

"Everyone is aware that phishing attacks are a top root cause for data breaches," says Jay Goodman, strategic product marketing manager with Automox. "What we found is there is a surprising amount [of] OS patches, application patches, and misconfiguration mistakes that led to root the cause for data breaches."

This data indicates improved patching processes could strengthen enterprise defense against cybercrime; however, patch management has historically been a nightmare for IT and security teams: 12,174 common vulnerabilities and exposures (CVEs) were reported last year, and applying these patches takes time. Less than half of businesses Automox surveyed would be able to patch critical vulnerabilities within 72 hours of their disclosure, and only 20% could patch zero-day flaws within a 24-hour period.

"It's a scale issue and it's a prioritization issue," says Stephen Boyer, co-founder and CTO at BitSight. "Think about all the vulnerabilities coming at you. The key question is which vulnerabilities [to patch] and when."

Patching is pricey, and larger businesses suffer greater losses in disruption and downtime. Boyer refers to a defense contractor as an example: There, he says, it could cost $250,000 to roll out a single patch. Not all fixes are this expensive, but let's say the average hourly wage for a company is $25 per hour, and updating a system disrupts work for 10 minutes per employee. With an employee base of 50,000 people, that amounts to about $208,000 in lost productivity.

"Of course, not all patches will cause this much disruption, but you can see how it can add up," he explains. Patching requires IT and security to juggle complexity, scale, and prioritization. "It's a very, very difficult problem in practice," Boyer notes, and it's not a trivial task for security teams to handle when tens of thousands of vulnerabilities are being disclosed each year.

"It's easier for small businesses because they don't have the overhead of the processes associated with patching that larger organizations have to implement," says Goodman. Security teams need to verify a patch works, make sure it doesn't interfere with other systems, and slowly roll it out to a small subset of users to ensure it's working as it should be.

Larger organizations are also at a disadvantage because they're more likely to run older OS versions. When Microsoft ended support for Windows 7 in January, nearly 90% of firms with more than 10,000 employees were still running it on at least one machine. Only 61% of businesses with fewer than 1,000 employees were doing the same, BitSight reported at the time.

Costly downtime and disruptions mean even "fire drill" vulnerabilities don't get patched. Boyer refers to BlueKeep, the Remote Desktop Protocol flaw Microsoft disclosed last summer. As of July 2019, about 788,214 systems remain vulnerable to BlueKeep, BitSight found. As of about a week ago, there were still 377,944 systems exposed, Boyer says, citing a new pool of data.

Remote Work Won't Make It Easier
While respondents to Automox's survey say they prioritize patching and hardening their systems, there are several issues that get in the way. Practitioners cite difficulty patching systems belonging to mobile employees and remote offices, inefficient patch testing, lack of visibility into endpoints, and insufficient staffing in both SecOps and IT operations.

Many of today's businesses have begun to support fully remote staff to protect them from the spread of COVID-19. The shift is likely to exacerbate existing patch management challenges. "It's a huge problem," says Boyer of the rapid transition. "You just exploded the attack surface of an organization." Instead of employees working behind a firewall on corporate Wi-Fi, they are working from home networks. Many don't even have a corporate machine, he points out.

"The scale and speed with which it happened is scary, and the environments people are working in now are way different from corporate environments," Boyer continues.

To effectively patch systems in this climate, remote management is needed on every machine. But what if something goes wrong in the middle of an upgrade? What if a user can't log in to an application, or they don't have something installed when they should? If someone's software upgrade doesn't go smoothly and interferes with critical software, are they out of luck? Businesses will be forced to decide on how long someone can hold off on a patch, Boyer explains.

"Remote employees are falling behind in terms of patching," says Goodman. "How is that going to grow over time as organizations face the new work-from-home reality?"

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/30/2020 | 9:49:52 PM
Patching is Key
I cannot parrot this enough. The key to good security is through remediation of exposures. Sure someone could pick the lock to your house but if there is a hole in the wall why go through all the hassle. Make sure to patch up that hole.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.