Lesson Learned, Again: Patch Your Software
Lesson Learned, Again: Patch Your Software

In prepared testimony for this week’s congressional panel on the Equifax breach that led to the theft of personal information of more than 145 million people, former CEO Richard Smith said the breach was the result of an unpatched Apache Struts software vulnerability within the company’s online disputes portal. According to Smith, Equifax did in fact receive notification of the vulnerability first from U.S. CERT and then from their own scans months earlier but neither alert prompted a fix by the IT security team.

Ouch. The fallout from this has already imposed sweeping executive change, from the CISO to the CEO, and more action is certainly on its way.

But let’s be honest. As security practitioners, we’ve all delayed an update or two. New vulnerabilities seem to crawl out of the woodwork daily and it’s difficult, if not downright impossible, to keep up with the volume of needed patches and updates, especially when you consider tight budgets and insufficient head count. But, as we read every week in the news, failure to patch and update is a risky bet. Lack of bandwidth may be a justifiable reason, but it can’t be our excuse.

Traditional, manual approaches to endpoint security compound the problem and lead to the neglect of basic maintenance such as patching. We recently teamed up with the Ponemon Institute for our annual look at The Cost of Insecure Endpoints and found typical security and IT teams spend an average of 1,156 hours per week to manually assess, manage and secure endpoints. Furthermore, 75% of respondents said they aren’t keeping up with patching.

While there isn’t a single silver bullet for organizational security, there are important steps to prioritize. Because you can’t patch what you don’t know you have, respondents to the study ranked automation a critical component to maintaining both visibility and control over endpoints. Not only will more needed updates get made this way, therefore improving security posture, it could also save organizations a lot of money. According to this study, $3.4 million would be saved per year in part because teams waste an average of 425 man-hours each week chasing false negatives and false positives.

Equifax is but one example in a sea of missed security patches.  Every victim of WannaCry ransomware are many others are more recent case-in-points. Unfortunately, this problem isn’t going away anytime soon.

ABOUT THE AUTHOR

Richard Henderson
Richard Henderson is global security strategist at Absolute Software where he is responsible for spotting trends, watching industries and creating ideas. He has nearly two decades of experience and involvement in the global hacker community. He is a researcher and regular presenter at conferences, and skilled electronics hacker. He was one of the first researchers in the world to defeat Apple's TouchID fingerprint sensor on the iPhone 5S. Richard was a technical editor of a book on IoT Security: RIoT Control: Understanding and Managing Risks and the Internet of Things. He is currently co-authoring the second edition of Cybersecurity for Industrial Control Systems.