Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

01:45 PM

Patching Poses Security Problems with Move to More Remote Work

Security teams were not ready for the wholesale move to remote work and the sudden expansion of the attack surface area, experts say.

A growing body of survey data suggests that the move to remote work has caused a growing number of headaches for security teams, especially regarding securing remote systems and maintaining up-to-date software through patching. 

In mid-March, 45% of companies encouraged workers to move to remote working, up from only 13% of companies in 2018, according to IT community Spiceworks. Yet security teams consider their company's capability to patch remote systems to be inadequate, according to a recent study released by Automox, a cyber-hygiene tools provider. While 48% of security teams patch on-premises desktops and laptops in the first three days, that declines to 42% for remote desktops and laptops, according to the firm.

"Remote desktops usually play second fiddle in terms of patching and prioritization — it's usually more difficult to manage them," says Chris Hass, director of information security and research for Automox. "Most teams have a good idea of what is going on with the corporate machines, but they often don't have any visibility into remote workers' systems, so there absolutely has been a large increase in the attack surface because of remote work."

A major impact on businesses from the coronavirus pandemic is the speed with which companies have moved to remote working, changing the way that employees access business applications and increasing the potential attack surface area — a particular headache for IT security. 

Most companies were not prepared for such a broad-based move to working remotely. While, on the whole, anywhere from 56% to 62% of employees could work from home, according to remote work analyst Global Workplace Analytics, only about 15% of respondents said their disaster recovery plans do not require any changes at all, according to a survey by Spiceworks of IT professionals

Because companies were taken by surprise, most are not prepared to patch and attest to the security of remote systems, says AJ Singh, co-founder and vice president of product management for remote management services firm NinjaRMM.

"Remote work has absolutely increased the complexity and scale of patch management in organizations," he says. "Now, in addition to maintaining and patching servers and devices on-prem, IT professionals must also manage the devices used by remote workers, making sure they are secure before accessing a business's data."

Patching is already an expensive proposition, with hundreds and thousands of vulnerabilities affecting a business's software and systems, says Sumedh Thakar, president and chief product officer at Qualys. The only way for most companies to deal with the issue is to prioritize the vulnerabilities based on the criticality of the assets affected by the issues. For example, companies should only focus on the BlueKeep vulnerability if they have Remote Desktop Protocol (RDP) services in place, for example. 

However, the move to remote work has changed the calculus of prioritization for many companies and reduced their visibility, he says.

"It is becoming immediately clear that traditional enterprise security solutions deployed inside the organization's network are completely ineffective in patching [and] remediating these remote endpoints due to the pressure they would put on VPN concentrators, bandwidth for deploying patches or sheer amount of time they would put to tweak these solutions," Thakar says, adding: "Now, prioritization based on risk becomes interesting because vulnerabilities critical for these remote endpoints are probably different than those posing risk to traditional server farms."

Automation is another critical tool for better handling the patching of remote workers' systems. To get patching under control, businesses need to have the right tools in place to automate large parts of the patching process, says NinjaRMM's Singh.

"Ultimately, companies need to accept the fact that patch management is a constant chore regardless of remote work or working in an office," he says. "For the foreseeable future, however, it will be more important than ever to make sure end users' machines are tightly secured to avoid any loss or breach of sensitive data."

For vendors, the move to extensive remote working may result in significant business. While 44% of companies had already committed to spending more on IT in 2020, now 39% have further increased their budgets, according to Spiceworks

And remote working is the area most in need of improvement, the survey found. Almost all — 92% — of IT professionals are concerned about the security of company-owned devices used from home and connecting to a home network.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
3/31/2020 | 8:12:20 PM
Another variable but not an excuse
Definitely adds another complex variable to the equation but not enough to risk not patching. Servers its an easy point for me to make so I'll stay away from that. For workstations, yes it can be more difficult because if you aren't on VDI you can't clone the host before patching. However, look what happened to the pharma company Merck. They suffered a security incident from WannaCry, a vulnerability very similar to BlueKeep and it really damaged their 3rd quarter and made it impossible for them to work for a series of days.

Is it more complex, yes granted. But if you don't and you end up falling victim to an incident due to lack of patching you are putting yourself in the same predicament anyway.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...