You would think that with things like automatic updates, applications that can automatically patch themselves, and the constant media attention towards security, hackers would be a dying breed, bereft of targets which they can exploit. Unfortunately, poor patch management practices across the board means that the ever-growing number of connected devices are providing hackers with and endless supply of fresh victims.
Mobile Devices
The rampant growth of smartphones provides hackers plenty of opportunity to find victims. Whether a system is running Android, iOS, Windows Phone, or BlackBerry, updating the operating systems is typically handled by the carrier, with little to no capability for the device owner to manage updates themselves, whether the owner is a consumer or an enterprise. And while the mobile platforms all do a good job of checking for updates to installed applications, it is often up to the user to actually deploy those updates, so it is not unusual to find a mobile device in need of multiple updates at any point in time. MDM (Mobile Device Management) products can help with this, but they can also be costly to implement and maintain, and challenging to use when you also want to support BYOD (Bring Your Own Device) or multiple devices and platforms. Vulnerability scanning of mobile devices connecting to your network, whether on the internal Wi-Fi or to applications over the Internet, can help sys admins identify systems requiring remediation – reducing the risk to corporate data.
CMS
Almost everyone these days has a blog, and almost no one these days manages the underlying platform that hosts their blog. WordPress and Joomla together account for the Content Management System (CMS) running on thousands of systems hosting over a million websites. Typically, blog hosts will maintain the underlying operating system, but leave updating the CMS and plugins to the customer. And since both WordPress and Joomla make it very easy to ignore your blog hasn’t been backed-up for weeks while you’re still publishing content daily, it’s very easy for a CMS to quickly fall out of spec. Since many vulnerabilities can be identified by certain basic strings, an attacker can find a new victim to exploit faster than they can order a pizza online. These CMS platforms can end up hosting spam links or malware that can then spread to site visitors. Vulnerability scanning and patching plugins should be a default addition to all sites, and CMS vendors should offer an option to automatically update for users who have “more important” things to do than check their blogs for updates.
BYOD
Bring Your Own Device initiatives are cropping up in every industry and market segment. As users want to use their platform of choice, enterprises are looking at ways to secure their infrastructure and data, while leaving BYOD device patching to the Y’s in the acronym. Unfortunately that is a short sighted approach, since compromised devices can be used to steal credential that can then be used to access more traditional systems, or to intercept data as it is accessed by the BYOD device. As with mobile devices, vulnerability scanners should be used regularly by enterprises, and IT should take a proactive role in helping users to secure and maintain their own devices. You can spend time helping a user update their tablet, or you can spend time recovering from a data breach caused by a device that has not been updated for some time. The choice is yours.
Remote Workstations
As good as most enterprises are at securing and updating their workstations and servers that are on the corporate network, most are abysmally bad at addressing machines belonging to remote users. It’s not uncommon to hear about annual meetings where everyone is required to bring in their laptop so IT can update and patch it. ANNUALLY??? With new vulnerabilities being discovered daily, I would rather just start with formatting a drive on a machine that hasn’t been cared for in almost a year, as it would be faster and more reliable to just flatten it than to try and clean it. Remote devices need attention too, and companies must leverage distributed systems, agents, or automatic updates to help ensure these devices stay secure. Rather than leaving things to chance, deploy a patch management system that can handle remote devices, or require that remote users connect to VPN regularly in order for their devices to receive updates and be scanned for vulnerabilities.
Legacy Systems
Legacy systems are the worst of the lot, as vendors have probably declared these systems to be end of life, and no longer offer updates to secure vulnerabilities. Many may have vulnerabilities for which patches were released, but because they come from an earlier time, were not updated as they should have been, and the patches are no longer readily available. Attackers regularly find ways to compromise networks and systems by first gaining a foothold on a legacy system. Companies must plan for replacing systems before they become obsolete, or sandbox them to restrict access and reduce the chance of compromise.
Call to action
There are several things that must be done to reduce the threat to users, data and systems. The responsibilities must be shared by enterprises, vendors, and end users alike. Securing data is not enough; platforms and devices must be secured as well. Companies should ensure that all devices within their reach are secure, whether owned by the company or by the end user. Vendors of mobile devices need to be sure they deploy security updates immediately, rather than waiting until they are ready to push out a major refresh to phones on their network. Apps should either automatically update, or reduce functionality until the user updates them, and systems that are not well managed, like CMS platforms and remote users’ workstations, should by default automatically update.
To better ensure administrators are aware of their exposure, they should regularly run security vulnerability scans against anything on their network. Patch management software can update and report on all systems within their administrative control, and should be a mandatory part of any infrastructure.
And non-technical end users must take active roles in securing their own devices. If they can buy them, power them on, and connect them to the Internet, then they can check for and install updates as long as vendor build in obvious and easy to use tools. Call it security’s easy button.
Securing systems is in everyone’s best interest. Do your part, and encourage others to do theirs.