Vulnerability scanning and patching is a cornerstone of cybersecurity. Deploying relevant patches is a critical step in basic security measures to minimize any organization's endpoint vulnerabilities. In response to COVID-19, many companies are now required to have employees work from home (WFH). This sudden transition to a remote workforce has resulted in essential security practices and assessments like patching, to become either delayed, neglected or forgotten. As such, we can expect attackers to take advantage of this and use vulnerable devices to infiltrate an organization.
In Part 2 of our 4 part series, we will discuss:
- Maintaining Patch Management during COVID-19
- Using COVID-19 to Reinforce the Importance of Patch Management
- How is COVID-19 changing Endpoint Security?
The Patching Problem
The conventional approach of scanning a network to identify vulnerabilities and then applying the relevant patches has become challenging with the remote workforce let alone the challenges of patching users or managing Windows updates. This is a severe issue because scanning and patching are how organizations attempt to reduce their attack surface. With the sudden transition to a remote workforce, Information Technology (IT) and Security Operations Centers (SOCs) have had little time to develop a patch management plan, or even consider it. Additionally, because employee devices are no longer on the physical network and either using VPN with varying bandwidth or BYOD (Bring Your Own Device), it may no longer be possible to use the standard patching approach of launching a network scan to identify vulnerabilities in desktops, servers, or other endpoint devices.
Since companies are operating remotely, effective patch management is now more important than ever. Cybercriminals will undoubtedly leverage the new disoriented workforce to exploit vulnerabilities. Patching current vulnerabilities and exposures (CVEs) is the most effective way to repair weaknesses before threat actors try to exploit them. Furthermore, at the start of the COVID-19 pandemic, U.S. Cyber Security officials released an advisory warning companies to update their Virtual Private Networks (VPNs) and be on the lookout for increased malicious emails. Vulnerable VPNs and other platforms are essentially a straight path into infiltrating an organization. This can be contributed to the weak passwords used on home computers which make it easy for a hacker to access office data if the computer is connected to the business network. Additionally, home computers often have a single account are that is used by different people to visit questionable sites that could potentially infect an employee’s computer and make it easier for an adversary to attack a business next time they remote into the office network. In which case, even if a BYOD device has an antivirus, most consumer-ready products cannot stop campaigns from sophisticated threat actors. As a result, routine security processes like patch management should not be overlooked.
Are there solutions for remote patching?
The road to managing patches and updates on systems that are not internally hosted or worse BYOD is long. This is not only because the roads could quite literally be miles apart, but also patching remote devices necessitates the individual deploying the update has physical access to an endpoint. There's no panacea to patch management but there are tools that make it less overwhelming.
Enterprises using Active Directory (AD) can force auto-updates every time a user logs into the domain. However, a large number of small to medium-sized organizations do not have this luxury nor budget to integrate AD. They typically rely on more manual processes like manual updates by the “IT” guy, setting up Windows Update on each user’s computer and hoping they actually apply the patches, sending out large file attachments, distributing flash drives, and even archaic avenues like CDs. As a result, to apply patches these methods may require unacceptable downtime.
Fortunately, there are numerous remote automated scanning and patching solutions available for organizations. These solutions come in various configurations and operate as an all-in-one for detecting, acquiring, deploying, and reporting on patch activities. Having a single solution that does all this is very valuable in times of unforeseen catastrophes because it contributes to the business continuity plan. However, implementing remote solutions requires asking questions. Silent Sector prides itself in remaining technology agnostic. However, we recommend organizations such as Gartner be used to compare remote management products and investigate essential matters.
Simple questions must be considered such as, "Does the business have the budget?" Often times, remote scanning software comes with a substantial price tag to install and then there are the reoccurring licensing costs. Also, "Does the organization have the capability to implement an automated solution?" As managing updates on geographically spread endpoints poses several issues such as bandwidth considerations and distinguishing the different IT systems employees are using.
Not all employees will have the available bandwidth to download Operating System (OS) updates and patches. Hence, using an automated solution is ideal because they often have features like bandwidth throttling which can detect available bandwidth and avoid interfering with other downloads. They also have checkpoint restarts that can continue a download from where it left off after a network interruption. Automated solutions can help companies manage and monitor the different OS used by personnel, reducing the chance a vulnerable endpoint can slip through detection.
Patching Speed Drawbacks
The development of security automation has its drawbacks in that adversaries are also applying it. This is evident in the threat landscape with hackers using automation to attack more aggressively. What’s more, is the rise in AI-fueled attacks suggests the speed at which they occur will only increase. Thus, to thwart adversaries, organizations should quickly deploy vendor patches upon properly testing them.
While ideally every endpoint should be patched 24/7, this is not an achievable reality when working with remote personnel. As such, IT departments should prioritize the patching of mission-critical endpoints and the devices of vital employees. Additionally, they can consider plans to make the patching of every endpoint more attainable. For instance, with a 7/30/60-day plan — 7 days are given for patching high-risk vulnerabilities, 30 for medium vulnerabilities and 60 for low-risk vulnerabilities. Once an endpoint has been patched, it can be easy to forget about and this is more so in virtual environments. For this reason, straying from the “patch and proceed” mindset will help organizations keep basic security at their forefront.
Patching Legacy and Systems Reaching End of Life
One important task while conducting network scans is considering how legacy OS and applications are handled. This is because every networking device accessing the internal network comes with its own distinct vulnerabilities and thus brings potential risks. Moreover, allocating money to inefficient solutions is not a sustainable business case. A typical example of this problem is many organizations and end users still use deprecated operating systems like WindowsXP, Windows 2003, or Windows 7. Because these systems are no longer supported by Microsoft and becoming increasingly unstable, there is a frequent break-fix cycle. This cycle is not maintainable in times of increased WFH personnel and heightened threat actors.
As vendors discontinue support for legacy equipment and operating systems, organizations need to have an end-of-life plan or mitigation strategy to prevent an endpoint from putting the entire network at risk. In particular, vulnerable but essential workstations remotely connecting into the internal network should be isolated to protect other endpoints. This presumably protects neighboring devices in the likelihood a vulnerable endpoint is compromised because it is on a discrete network. They should also be analyzed and classified as to how critical they are to the business. The more critical, the more robust compensating controls should be placed. With adversaries inventing new ways to defeat security safeguards placed on WFH employees, this is imperative.
Patch Management is Indispensable
Effective patch management enables organizations to proactively reduce their risk of getting breached. Automating patch management allows organizations to free up time troubleshooting deployment problems and re-focus IT resources on business objectives. Additionally, having and documenting a patch management program empowers organizations to improve their disaster recovery plan, giving them a competitive advantage in turbulent times.
This is very noticeable with the current COVID-19 pandemic in that prepared organizations are not running and reacting to the hysteria around them, but on the offensive by continuing normal business innovation.
In spite of the unpleasant circumstance, events like COVID-19 help reveal just how critical IT coupled with basic security is to business continuity and which processes, assets, and employees are critical. Thus, revealing how fundamental cybersecurity like patch management must still be executed to protect a business.