patch hesitancy patching patch management

How Patch Hesitancy Weakens National Security

The number of vulnerabilities in circulation is booming. Patching has been placed at the forefront of modern security – with great emphasis placed upon a ‘little but often’ approach. However, even as patch implementation is heralded as the pinnacle of security, an increasing number of reports are discovering that misconfigured and missing patches are the direct cause of a vast majority of data breaches.

The tech assets that organizations rely on for streamlined communications, skills, and management are continuously becoming outdated. Attackers have already discovered this. Always-on, virtual patch systems such as WAF and RASP technology may provide a key solution to this issue.

The Migraine of Modern Vulnerability Management

Enterprises are straining under the weight of patch management. A strong foundation of DevSecOps demands the constant maintenance of an organization’s hardware and software asset inventory. Each of these assets will have their own demands surrounding updates and patch implementation; for mature organizations, the sheer volume of apps and systems present one of the greatest challenges to modern security.

And while the number of alerts flooding the security team spirals, the very architecture of modern companies is only making things harder. Remote employees that span the globe, alongside always-available cloud architecture, have blown the doors clean off the traditional endpoint perimeter. This news was broken in particularly brutal fashion with Microsoft’s ProxyLogon vulnerability in 2021. This critical remote code execution flaw combined a number of major individual threats. First, a pre-authentication proxy flaw in the Microsoft Exchange servers allows for an attacker to bypass any established authentication controls. Once the attacker has all the privileges of a server admin, a post-auth vulnerability then allows the individual to write files to the system itself.

By following this attack, malicious individuals could exert complete control over any Exchange server hosted on the public internet. Following Microsoft’s public disclosure of this flaw on March 2nd, there were 400,000 on-premises servers thought to be directly at risk of this attack path. From the moment of public disclosure, the patching process becomes a race against opportunistic attackers. In a report assessing the time to patch for this flaw, RiskIQ examined that the number of unpatched servers fell from 400,000 on the 2nd, to 82,731 on the 11th. After more than a week, almost a quarter of highly vulnerable organizations were still at risk. By late April, this had dropped to roughly 18,000.

The number of vulnerable servers remained stubbornly high, even despite Microsoft’s own continued attempts to support organizations’ last-minute fixes. They released a one-click mitigation tool; a free scanning function to check for exploitation; and tools that would then attempt to reverse malicious actions facilitated by ProxyLogon. Even with the above-and-beyond support of Microsoft, some organizations were still unable to implement a fix in time. This is thanks to the difficult, thankless task that patching poses.

Let’s face it: patching can be repetitive, unrewarding labor that sometimes demands manual work as well. The sheer monotony and demands of patching means that human error is quite common. Ideally, patches should be tested before implementation, which can help uncover any potential issues, but this costs more time, and more money. This risk makes patching somewhat unpleasant from a business operations standpoint – sometimes a patch can break something vital, in a completely unforeseen way. This is partly a problem with how complex our modern tech stacks have become. For small organizations, a broken patch roll-out can be painful. For large organizations, it can prevent thousands of people from working, be just as disruptive as a cyberattack, and require massive resources to fix.

If You Don’t Prioritize Flaws, Someone Else Will

Though the annual number of published CVEs have doubled since 2011, the raw CVE data is no necessary indication of higher attack magnitudes. ProxyLogon is one example where the few flaws in tandem, led to high-profile, uber-aggressive attacks. Advanced Persistent Threat actors, or APTs, are groups of cyber criminals that have a higher degree of training and sophistication than the average script-kiddie. HAFNIUM is one such group; funded and trained by the Chinese government, this group is a global cybercrime heavyweight that targets the networks of governments and critical infrastructure.

HAFNIUM targeted over 30,000 US organizations within weeks of the Exchange vulnerability’s discovery. The automated campaign sought out vulnerable servers, and was able to breach thousands of companies every hour. Thousands continued to fall prey to HAFNIUM’s campaign after the patch deployment thanks to patch hesitancy. The group’s goal was soon discovered to be espionage. Thanks to the fact that Exchange software handles the communications that flow throughout organizations, HAFNIUM actors enjoyed full and unrestricted access to the conversations and ideas in vulnerable organizations. Usernames, passwords, intellectual property and blackmail material would all have been seized throughout this attack.

A Better Way of Managing Unpatched Holes

Traditional patching represents a constant uphill battle. With virtual patching however, mechanisms can be put in place that continuously protect the application or software in question. The Web Application Firewall (WAF) represents a uniquely powerful piece of virtual patching software, as it sits in between the application and external traffic. WAF is driven by policies, allowing for protection that closely follows your organization’s own contours. Next-gen WAFs now include automatic policy creation, and fast rule propagation. This is based on your security provider’s attack signature database, and correlation engines that analyze the IP addresses of wannabe users.

While WAF helps guarantee the legitimacy of users that walk through the front door, Runtime Application Self Protection (RASP) monitors the inner workings of a software. Requiring no internal code-changes, the RASP solutions provided by next-gen security providers continuously monitor the app in question. Any behaviors that are deemed out of the ordinary can be investigated more closely thanks to automated security alerts, or even the automatic shutdown of the suspected behavior or request itself.

Unless the software in question is legacy, virtual patching is not an outright replacement of patch installation. Their role is in the crucial, time-critical gap that sits between the discovery of an exploit and the rollout of suitable patches.

Scroll to Top