How The Rise of Vulnerabilities Has Shaped Modern Patch Management Practices | Hacker Noon

Author profile picture

@kernelcareKernelCare

Preventing dangerous patch delays with rebootless updates.

As technology develops and grows, so do cyberattacks. The National Cyber Security Centre (NCSC), between October 2016 and the end of 2017, recorded 34 significant cyberattacks and 762 less serious incidents. And the problem continues to ramp: NTT Ltd.’s Global Threat Intelligence Report reports “attack volumes increasing across all industries between 2018 and 2019 and the most common attack types accounted for 88% of all attacks: application-specific (33%), web application (22%), reconnaissance (14%), DoS/DDoS (14%) and network manipulation (5%) attacks”.

This year is not an exception. Hackers exploit the COVID-19 panic to create websites posting ‘official’ COVID-19 information but actually acting as malware or trying to steal user’s personal data. Organizations cannot wait for a punch card with a patch.  They need a solution to automatically patch a vulnerability as soon as possible. Let’s take a closer look at the most known vulnerabilities that impacted the businesses dramatically.

Heartbleed

The Heartbleed Bug is a vulnerability in the OpenSSL cryptographic library. The Heartbleed bug allows an attacker to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

VMware Case

According to the CloudPhysics study, more than 50% of vCenter servers and ESXi hypervisors were not patched and remained unprotected three months after the patch was released. If you look at the “Rate of patching is slowing down” section, you surely will be surprised. How much time do we need to finally get rid of Heartbleed?

Source: CloudPhysics study

Conclusion

Various compliance standards and guides strictly shrink the patching window. Now in most cases, you have to patch your infrastructure within 30 days to remain compliant. Years ago the main focus was on industrial uptime (“Some industrial sectors require 99.999% or greater ICS uptime. This requirement relates to 5 minutes and 35 seconds or less allowable downtime per year for any reason, making unscheduled patching out of the question.”). These days everyone needs this level of uptime no matter what industry it is. Before, planned patching was just a recommendation, but now the lack of it means non-compliance.

Shellshock

Shellshock is a privilege escalation vulnerability. If exploited, the vulnerability allows an attacker to run commands remotely. Shellshock is an example of arbitrary code execution (ACE) vulnerability. It can be easily exploited through web applications running on a vulnerable server.

Yahoo Case

It sounded like a joke but it wasn’t when media reported that Yahoo was hacked using the Shellshock vulnerability. Like many major companies, Yahoo has a bug bounty program spending a lot of money not only on inside threats monitoring systems but inviting external sources, specialists, and experts.

Conclusion

From the Ponemon Institute study, we can see that time spent on monitoring systems for threats and vulnerabilities grows each year (127 hrs and 139 hrs spent weekly in 2018 and 2019 respectively). Add here time spent on applying patches, documenting, coordinating, and reporting and you can see how the total (both in time and money) spent annually on vulnerability management can skyrocket. The numbers tell the stories best.

Source: The “Cost and consequences of gaps in vulnerability response” report (independently conducted by Ponemon Institute LLC)

Source: The “Cost and consequences of gaps in vulnerability response” report (independently conducted by Ponemon Institute LLC)

The possible damages to individuals, businesses, and industries enforce us to invest heavily in development, audit, testing, and security. But can you imagine that you just can pay once and stay safe by getting patches against all known and new vulnerabilities without a need to investigate, schedule, apply, and reboot?

Meltdown, Spectre, and Zombieload

Meltdown and Spectre exploit critical vulnerabilities in modern processors. They allow an attacker to steal data currently processed on the computer. Most affected are large cloud services and enterprises that process private customer data.

One more critical bug in modern processors, Zombieload allows stealing sensitive data and keys while the computer accesses them. The attack can affect all Intel’s processors since 2011.

Intel Case

The hysteria around Intel and Meltdown, Spectre, and Zombieload has now calmed down a bit but was like two tsunami waves back in 2019. The facts are: 100 million servers, 600 million PCs, and about 1.7 billion smartphones were vulnerable. 

Source: ITCandor, “Meltdown and Spectre – 2.7b vulnerable devices and a $37b bill for mitigation”

This equates to billions of reboots. Although most companies using Intel’s chips quickly applied their patches the bad taste lingered.

Conclusion

One vulnerability can seriously damage a company’s operations and reputation as it happened with Intel. Zombieload, Zombieload2, Meltdown and Spectre were fixed by KernelCare without reboots.

Disciplined patch management has become more critical as the number of vulnerabilities continues to increase. The consequences of being shortsighted or lax in the process become more and more devastating. If you have a good security policy, the right tools, and people who know how to manage them you can minimize risks.

Even better if you have a toolset that automates the process and applies patches to infrastructures while they are operational.  Try KernelCare free on all your servers for 7 days and tell us what you think.

Tags

Join Hacker Noon

Create your free account to unlock your custom reading experience.

read original article here