Q&A with Duo Security: Why are organisations struggling with patching?

Wendy Nather, Principal Security Strategist at Duo Security discusses the real-world challenges organisations face in updating to the latest versions of software and why we need to focus on finding practical solutions to support them.   

From the recent cyber attacks peppering the headlines, it’s evident that many organisations are not immediately patching or are knowingly running unsupported or out-of-date software. What particular security risks does this pose?   

The risks are significant. We know attackers will exploit vulnerabilities in out-of-date systems; that’s why it’s so important for organisations to update their software, such as browsers and operating systems, on a timely basis.  As new vulnerabilities are discovered, the higher your risk exposure becomes - not only from sophisticated, targeted attacks but also from opportunistic criminals scanning the Internet for a particular known weakness that they can exploit easily. Many organisations feel that they won’t be targeted directly, but they don’t have to be; the attackers are casting a wide net to harvest small businesses in bulk, so to speak. 

Why do you think organisations are struggling with patching: shouldn’t this be part of an organisation’s cyber ‘hygiene’ strategy?   

They may be struggling for a number of reasons. Perhaps they don’t have the manpower and resources necessary to carry out updates to their software every week. Or they may not have the expertise to be able to troubleshoot problems which might arise from applying patches. Finally, their business may require operational availability at the expense of patching. For example, retailers who make most of their annual revenues during the winter holiday shopping season tend to implement a change freeze that lasts from October through January. Organisations that have very limited maintenance windows may simply have more patches than they can get through during that time. 

This idea of continuous change runs counter to everything we humans have previously known; we have built things to last. Imagine if you had to swap out your writing desk every week. It’s not only the desk itself that needs changing, there are all of the cables and personal items that you’d have to carefully move and update every time as well. Even putting wheels on the desk doesn’t prevent the disruption to your work that a change entails. In the same way, it gets much more complex carrying out software updates with multiple entangled dependencies. It can be more of an extended project to update everything in order. 

That’s why it’s probably too optimistic to say that organisations should ‘just’ patch. This ignores the inherent challenges which can make a quick fix solution neither practical nor affordable.    

As more and more organisations opt out of running their own software, what security challenges does this pose? How does this impact patching?    

When organisations don’t run their software, it’s entirely in the hands of the software vendor as to how often it’s updated, and what versions it’s supported on. For example, you may have an important application that will only run using a certain version of database software, or requires operating system libraries that are more than a year old. You’re basically stuck with the old versions of everything, and it may take years until the software vendor at the top of the stack agrees to certify and support an updated version. A vendor may go out of business, or they could be acquired and the software line killed off. This is a problem we’ve seen with smaller vendors which provide software used by governments.   

Is the issue of ageing or legacy systems creating additional challenges when it comes to updates?   

This does present difficulties, however, we have to remember that, in many cases, ageing systems tend to be the most critical systems for organisations: that’s why they’re still in use.  They were built to last, after all.   

One of the issues is that these systems tend to be ‘jury rigged’ in production, with small tweaks made to software and configurations on the spot to keep things running as the equivalent of duct tape. Not all organisations have the budget to duplicate their production environment just for testing and developing new versions of software, so last-minute changes happen in the most important area: the customer-facing network. 

Should software vendors be doing more to address the problem?   

This is an argument that is often brought up; however, it’s complicated for the vendor as well. If other applications or dependencies change in an ecosystem, they have to adapt the software to catch up. Internationalisation means that changes will need to be made on different versions. Then there are sales people, support teams to brief and users to inform, all of which has a knock-on effect on the cost of updating software. As the software advances, the vendor must decide how many older versions they have to continue to support; we saw that Microsoft ended up releasing a patched version of Windows XP in acknowledgment that it was still in widespread use for critical systems.   

Perhaps, instead, what we should be thinking about is how we support organizations to do this: what do we expect and what is reasonable to expect? Who ensures ongoing support for software when the original vendor disappears? It’s not reasonable for many organizations to follow the Netflix model of pushing out dozens of changes a day even if there’s a process in place for issuing and testing patches. There’s also a wider argument that we should shift the focus to developing more secure software, that’s built to last, so that it doesn’t need to be updated as often.      

What can the industry more widely do to help: is the answer to implement regulations or incentives?   

Regulations only work if they’re based on an understanding of the dynamics behind the situation we’re in. More urgently we need a task force to look at underlying root causes rather than symptoms. 

Part of the problem is that it’s impossible for small companies to afford the level of security that we think they need. Financial assistance, such as the device buy-back program proposed recently in the US (in which the government purchases old devices in the healthcare sector) don’t address the bigger issue that these devices were not built to be updated to begin with, and that they’ll be replaced with devices which will eventually have the same problem and will themselves need to be replaced.    

With more ransomware attacks anticipated, what immediate measures should organisations take to protect against future attacks?     

Updating software is always the best first step. However, for organisations that can’t update, the focus should be on mitigating risks. For example, if an organisation can’t move away from SMB V1 or must have this open to the Internet, what can be done to narrow their exposure to threats at the network level? And what more can be done to help them to detect future threats? Perhaps part of the solution is helping small to medium-sized businesses migrate to more secure infrastructures.    

What additional advice can you give organisations that are struggling with updating software?      

Sadly, the ransomware attacks we’ve seen in recent months won’t be the last of this scale. Malware that uses a worm for propagation, such as WannaCry, tends to stick around and resurface over months and years (Conficker, which first emerged in 2008, is still seen in the wild today). For those that have struggled, there are policies and procedures that can provide a route to recovering from a ransomware attack.    

These include maintaining frequent backups, and conducting periodic test restorations to verify the integrity of the data backups, as well as putting in place a disaster recovery and emergency operations plan. Organisations need to practise those plans regularly to make sure their teams are ready to execute. Even if they weren’t hit by a particular attack, they can ask themselves: if that were to happen to us, what would it look like? How would we detect it? And how would we respond to it?   

There’s no substitute for preparation. 

Wendy Nather, Principal Security Strategist at Duo Security

Image Credit: Niroworld / Shutterstock