2020’s Wild Cyber Ride
July was an interesting month for a few products across the OEM landscape, with high severity vulnerabilities released for a wide array of software products typically used by businesses including Microsoft, Citrix, F5, Juniper, Oracle and SAP.
Overall, new Common Vulnerability Exposures (CVEs) received by the National Vulnerability Database (NVD) stands at 11,390 at the time of this publication. This puts us on pace to see a record 20,000 vulnerabilities in this crazy year.
Cisco disclosed a critical security vulnerability in their Data Center Network Manager (DCNM), a key piece of Cisco's data-center automation software for its widely used Multilayer Director Switch (MDS) and Nexus line of networking hardware. In addition, attackers are also exploiting a high-severity vulnerability in two of Cisco’s network security products: Firepower Threat Defense (FTD) software, which is part of Cisco’s outstanding suite of network security and traffic management products, and Adaptive Security Appliance (ASA) software, the operating system for its family of ASA corporate network security devices which is used by Fortune 500 companies around the world.
Cisco is warning that a high-severity flaw in its network security software is being actively exploited — allowing remote, unauthenticated attackers to access organizations sensitive data.
So, what's the price of unprotected IT infrastructure? Cybercrime Magazine says that global damages will surpass $6 billion as soon as 2021.
Why strong patch management is important
Across a variety of industries, we see that patching continues to be one of the weakest links for many organizations large or small, public or private particularly in terms of security defense; however, it doesn’t have to be. It’s been our observation over the years that organizations commonly possess the experienced technical professionals and the appropriate tools such as Tanium or SCCM to apply system patches. Where is the breakdown? Ironically, the breakdown arises from two nontechnical areas, namely:
- A lack of security awareness (and you have heard me preach about this for years).
- A lack of accountability for following through on patching vulnerable systems.
Ironically, most of the successful attacks today do not involve the usage of sophisticated and costly Zero Day anymore, but publicly disclosed vulnerabilities are often available with a working exploit or in many cases today, they just use your credentials that have been compromised. Hackers will systematically scan for the weakest link in your cyber defense perimeter to gain access, and even the vulnerable outdated printer may be a windfall to get your crown jewels.
It is imperative that you implement, test and monitor a robust patch management program for all your systems, networks and applications but if you leave unpatched devices on the Internet, the bad guys will find it and add it to their infrastructure.
Network security components
With regards to network infrastructure devices, they are the components that transport communications needed for data, applications, services, multi-media and more. These devices include your routers, NGFW, switches, servers, load-balancers, IDS (intrusion detection systems), DNS (domain name systems) and SAN (storage area networks).
These devices could be ideal targets for malicious cyber actors or nation states because most or all organizational and customer traffic is transmitted through them.
Once implemented, many network devices are not maintained at the same security rigor as general-purpose desktops and servers. We have also seen additional factors that can also contribute to the vulnerability of network devices such as:
- Very few network devices — especially small office/home office and residential-class routers (this is important as we have a massive remote workforce now) — run antivirus, integrity-maintenance and other security tools that help protect general-purpose hosts.
- Manufacturers build and distribute these network devices with potentially exploitable services, which are enabled for ease of installation, operation and maintenance.
- Administrators of network devices often do not change vendor default settings or harden them for operations or perform regular patching.
- In some cases, computer security incident response teams (CSIRT) will overlook network devices when they investigate, look for intruders and restore general-purpose hosts after a breach.
As you can imagine people, technology and processes must work cohesively to mature the hygiene of your security infrastructure. Configuration and patch management are not uncommon challenges for organizations.
We've observed that most inefficiencies in configuration and patch management can be traced to understaffing. Many organizations have the technology to deploy a significant number of the changes required but lack the engineering manpower to consistently identify and execute the changes that need to be deployed.
It's more important than ever that organizations can enable secure business productivity while protecting systems and data from internal and external threats. Instead of focusing on security hardware and software alone, take a holistic, pervasive approach to security by:
- Fostering a security-conscious culture to reduce the attack surface and ensure a robust security posture.
- Implementing security-focused policies and processes.
- Embedding security throughout our infrastructure.
We take care to make sure that controls don’t make it more difficult for employees to do their work or run the business. Implement the following recommendations to better secure your network infrastructure to minimize security vulnerability attacks by implementing the following:
- Segment and segregate networks and functions.
- Limit unnecessary lateral communications.
- Harden network devices.
- Secure access to infrastructure devices.
- Perform out-of-band (OoB) network management.
- Validate integrity of hardware and software.
Actual business outcomes
As an example, our team of security experts recently helped a global data analytics company avoid catastrophic fines and financial liabilities, as well as possible FTC audits, by implementing a vulnerability and patch management program that caught more than 4,000 critical vulnerabilities prior to a large audit.
We started by researching previous audit findings and then implementing a repeatable and scalable vulnerability and patch management process that fixed the current issues and improved their overall security posture. We integrated a cloud-based product to automate future vulnerability scans and system protection.
Our Strategic Resourcing team trained their IT staff on system management and led daily briefings with their leadership to ensure remediations were completed prior to their audit deadline. The end result: no fines or additional audits and a stronger security posture.
Ready to talk about your security strategy? Request a Patch Management Assessment to begin evaluating your ability to patch in a cost-effective manner while reducing risk. Feel free to reach out directly with any other questions.