The average time from the discovery of a vulnerability to a patch being issued is, for well-supported software, thirty days. In a best-case scenario, cybercriminals have a whole month to make the most of the exploit.
Of course, it’s not always a best-case scenario. For example, in 2016, an SAP authentication vulnerability was patched that had first been reported way back in 2012. Any hacker looking to use this vulnerability to gain access to a system had the best part of four years to do so. And some business practices mean that there is much longer between a vulnerability being discovered and a patch being released—Oracle rolls all of its patches into a quarterly Critical Patch update, meaning there are potentially three months from a patch being created until it’s rolled out.
The issues aren’t only on the software providers’ side—in fact, the biggest problems can be found with the users and businesses who fail to install patches. This isn’t down to shoddy practices or a lack of care, but simply because applying a patch requires a lot of effort. A survey commissioned by security firm Bromium has shown that over half of businesses didn’t have the internal resources to implement regular patches, and that the average cost of applying a patch was around $20,000 per patch.
Oracle has attempted to hurry its users into applying patches ASAP, adding to its patch notes: “...Attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.” But businesses can’t simply apply the patch and hope for the best. There needs to be a fully-developed patch management process, using an accurate inventory of an IT estate so that nothing is missed, and with a comprehensive testing procedure that ensures that nothing will break following a patch.
The cost and disruption of applying a patch means that an average of 100-120 days passes between a patch being available and a patch being applied. This schedule allows cybercriminals to slow down and take it easy—there’s likely to be around five months from when a vulnerability is disclosed until the average business fixes it. There’s plenty of time to gain access, steal data, and cause havoc.
The long periods of time between the discovery of vulnerabilities and the fix being applied—wherever the blame lies—only helps those in the cybercrime business by leaving critical systems open to attack.
What are businesses paying for?
The ERP software that many businesses rely on is often a significant outgoing for a business. These business management suites include software necessary for accounting, human resources, customer relationship management and more. Any business over a certain size, no matter what it does, is very likely to be using an ERP suite rather than discreet tools. These tools are not a one-off cost. Some of them are provided as a service with a regular recurring fee, but most are installed on-premise with a license fee required to access the support vital to keep these tools up to date.
Oracle support typically costs 22% of the initial license cost. This gives a business the legal right to use Oracle’s knowledge base, to log support requests using official Oracle support, and to download official patches and the latest release of the software. SAP is similar, with users typically paying somewhere between 19% and 22% for standard support for an equivalent level of support.
The need to pay for support in order to access patches makes this cost a necessary part of the patch management process. If a business pays these costs, the ERP software they have will quickly go out of date and leave them vulnerable to an attack.
But even by paying these costs, they are still trapped in a cycle where every update costs thousands of pounds, every update needs to be tested thoroughly to make sure it does not disrupt the business, and every update is installed around half a year after the problem it addresses was discovered. Even if businesses follow best practice, along with all the costs involved, they may wonder if they are getting value for money. Their ERP providers are rolling out patches on a regular schedule, but even good patch management is still not enough to keep them safe.
What’s the alternative?
The regular installation of vendor patches is seen as best industry practice when it comes to keeping servers secure from an attack. This needs serious reconsideration—best practice is, like the patches when finally applied, hopelessly out-of-date. The speed at which hackers can scan for vulnerabilities and attack businesses means that a quarterly update schedule cannot hope to keep up. A six-month lag makes patching nearly pointless.
If official patches don’t keep a business safe, then answer may be to simply ignore official patches.
This may seem like madness on the face of it, but it’s actually very sensible. There are a number of reasons why a business may not want to upgrade its ERP software. A change of software comes with risk, cost, and disruption—all things that any sensible business wants to avoid. For many businesses, the only advantage of upgrading is likely to be the patches issued by the vendor to stay secure. New features are not enough to tempt them.
ERP systems have been around for a long time - and are trusted and stable. However, this maturity means that they have not exactly been hotbeds of innovation for over a decade. Security is the only reason to apply patches.
But, and most importantly, if a business is not installing patches, how can it keep itself safe? Virtual patching, also known as vulnerability shielding, can do this by of protecting software from an attack, even if the right patches are not in place. Virtual patching is like a gated community with an armed guard on patrol, stopping anyone unsavoury from getting anywhere near. The homes may have vulnerabilities—keys hidden underneath doormats or windows that are easily jimmied open, but those weak spots don’t matter if no one can get near them. Crucially, vulnerability shielding can also be updated immediately to tackle new threats, keeping an entire IT estate secure without the potential for disruption of regular patching.
ERP software patches aren’t poor value for money because they fall short of industry standards, they are poor value because the tools available to cybercriminals and the fast dissemination of vulnerability information makes waiting for patches inherently risky. The wisest businesses will see this as an opportunity to opt out of upgrades that don’t benefit them and look for alternative ways to keep their ERP software installations safe.
Mark Smith, Founder and CEO of Support Revolution
Image Credit: Mikko Lemola / Shutterstock