It just makes you WannaCry…really! Avoid the next NotPetya with rapid and comprehensive patching
- 01 February, 2018 16:37
Corporate Australia seems to be oblivious to the spate of hack attacks which have cost companies and individuals many millions in stolen credit card details and identity theft. Recent research undertaken by Ivanti indicates a frustrating lack of urgency on the part of some organisations.
Last year’s WannaCry and NotPetya ransomware attacks should have galvanised organisations into action to protect themselves and their customers. However, the failure to undertake the simple process of patching has left many systems in a vulnerable state for many of our biggest and most trusted organisations.
According to a recent Ivanti research, 70 percent of IT professionals either do not have complete visibility into their systems or don’t know if they have the right tools to achieve this. At the same time, only 80 percent of organisations have a patch management policy in place, which is a figure that has not increased since 2016.
Patching is a slow process for many organisations, with almost half (49 percent) of businesses claiming they take more than two weeks to do so and an alarmingly 20 percent taking more than a month. However, with vulnerabilities that can lead to global cyber-attacks like WannaCry and NotPetya, the time to patch is becoming more critical.
While organisations may have taken certain strides towards increased endpoint security in the wake of 2017’s devastating attacks, patching quickly and comprehensively, and demonstrating compliance with company policies, is still not a priority for many businesses.
The importance of patching
To avoid the kinds of cyber-attacks that create headaches and headlines, organisations need to update devices, servers and other assets as soon as possible after a patch is released. If they don’t, they risk exposing customer data, losing critical services and violating compliance with internal and external regulations.
Although organisations can significantly reduce their attack surface by patching quickly, correctly, and across all assets, doing so can be complicated, time consuming and error prone. By automating the patching process and following best practices, organisation can improve their security posture, save money, and free up time to meet mission goals, such as improving services.
Organisations face the following challenges related to patching:
Cyber-attacks are increasingly stealthy and targeted, and no organisation is immune. Even criminals who are not tech savvy can gain access easily to attack tools.
Vulnerabilities in legacy software
Government organisations in particular often have legacy systems that are no longer supported by vendor software patches. These systems have been around for a long time, giving cyber criminals ample time to discover vulnerabilities. The recent WannaCry ransomware attack that hit hundreds of thousands of computers exploited known Microsoft Windows vulnerabilities and was so virulent that Microsoft made an exception and created a patch for computers it no longer supports.
Many organisations have thousands of devices that need to be discovered, tracked, and updated. Managing these assets, and the software running on them, is a challenge in today’s complex environment of extended enterprises, virtual machines, traditional (physical) software solutions, and disparate patching tools.
Although many organisations use Microsoft System Center Configuration Manager (SCCM) to update patches, applying it to third-party software that Microsoft does not support requires manual work and testing. Organisations also sometimes forego patching virtual servers and other assets due to limited resources.
Time-consuming manual processes
Manual patching processes can consume hundreds of hours every month and are prone to error. If a patch requires a system restart, staff time is stretched even further.
Some IT staff may avoid patching certain assets because patches can “break” things, involve extensive customisation, aren’t always compatible with other applications running on legacy systems, introduce new security problems or add unwanted “bonus” features by default. Despite the critical data held in SAP applications, for example, the average time to patch vulnerabilities after SAP releases a fix is more than six months.