[BreachExchange] Does Patching Make Perfect?

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/patching-perfect/

We’ve heard it time and time again: patches and updates are the key to
mitigating vulnerabilities that lead to epic Equifax-sized breaches. The
logic goes that security incidents can be avoided if you just update and
patch your OS and applications as instructed.

Is it really as simple as that? It’s true that patching and updating your
software and operating systems are critical elements in your security
approach. At the same time, the process of installing updates and patches
has become so highly complex that it, in and of itself, may create new
complications.

To start, let's look at why patching and updating are so critical in the
first place. Patches and updates are two primary means to ensure that
programs and operating systems function properly and securely. They deliver
bug fixes, add and enhance features, and – most of all – fix
vulnerabilities.

Failing to install patches and updates leaves you wide open to avoidable
exploits that can be avoided entirely. Just ask the NHS, which fell prey to
last year’s WannaCry attack. A recent report from the UK National Audit
Office shows that the NHS had been instructed to patch their computers
against the specific vulnerability that caused WannaCry as early as two
months before the attack.

Returning to the disaster at credit rating giant Equifax, the breach was
caused by a vulnerability in their Apache Struts web application framework.
Not only has this attack left roughly half the US adult population at risk
for ID fraud — the worst part is that the Apache Struts Foundation released
a patch for that same critical vulnerability (CVE-2017-5638) back in March,
a full four months before Equifax says they identified a breach on their
network.

The Problems with Patching and Updating
This brings us to the over-complexity of patches and updates. Back in March
2017, when the Apache Struts vulnerability was first reported and the patch
was released, enterprises relying on the framework knew it would be tough
to fix. Here is how Ars Technica explains the difficulties involved with
applying the patch:

“...it involved downloading an updated version of Struts and then using it
to rebuild all apps that used older, buggy Struts versions. Some websites
may depend on dozens or even hundreds of such apps, which may be scattered
across dozens of servers on multiple continents. Once rebuilt, the apps
must be extensively tested before going into production to ensure they
don't break key functions on the site.”

This does not in any way let Equifax off the hook, but it does highlight
the great difficulties and challenges that many enterprises experience when
it comes to patching and updating. As with the Struts patch, application is
not always simple and may cause unanticipated breakdowns and malfunctions.

With so many patches and updates being released, it can be hard to assess
which are essential and which are merely recommended. For example, the
patch for the vulnerability that led to WannaCry was released just like any
other “Microsoft Patch Tuesday” patch, which may have led people to believe
that the vulnerability wasn't all that critical. Moreover,
incompatibilities with patches and infrastructure can cause other critical
programs to crash.

Lastly, there are so many patches and updates released on an ongoing basis
that applying them all could take up all of an IT team’s time.

So, it’s not that patching doesn't make perfect — it’s that getting the
entire process just right can be extremely complex. By not getting it
completely right, you may just be letting in the next big breach.

Isolate to Reduce Your Risks
The truth is that in the world of multi-layered applications and complex
network architecture, there is no one silver bullet that can completely
guarantee complete integrity and security. But you can minimize your risk
by reducing your attack surface.

Security analysts continue to affirm that most security breaches,
incidents, and phishing attacks can be traced back to browser-based
vulnerabilities that have been exploited. Thus, enterprise security can be
greatly improved if organizations can block hackers from breaching
endpoints and networks via the browser. If hackers cannot gain access, they
cannot exploit security vulnerabilities presented by unpatched applications
and software.

Secure remote browsing, and in particular, remote browser isolation (RBI),
represents a new, proactive approach to safeguarding against internet-borne
threats. In fact, it was named one of the top security technologies in 2017
by Gartner.

With remote browser isolation, all browsing activity is executed remotely,
in an isolated virtual environment such as a container, which is disposed
of at the end of that browsing session. What users get is a real-time,
interactive visual content stream that is free of all risk.

In short, browser isolation is a layer that reinforces your existing
security measures and helps you stay protected during those inevitable
brief lapses in the never-ending patching and updating cycle.

To really “make perfect”, you need to patch and update, but that’s just one
(highly complex) aspect of achieving complete security from vulnerabilities.

In addition, you need a layered defense that will help you secure gaps in
the remaining layers and that includes a solution for preventing malware
and fileless attacks originating from web browsers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180322/4f20e919/attachment.html>