Defending the Enterprise Part 2: The Exploitation of Unpatched Systems
By Bob Thibodeaux, CISO, DefenseStorm
In part one of this series, I talked about defending the enterprise by strengthening the human firewall. In part two, I’ll focus on patching vulnerable systems.
Let’s take a look at some of the headlines from the last couple of years:
- “Atlanta’s municipal government has been brought to its knees since Thursday morning by a ransomware attack.”
- “Russian state hackers use ransomware to paralyze computers in Ukraine on the eve of the country’s independence day.”
- “Hackers gained access to the information of 143 million Equifax customers, including their names, birth dates, drivers' license numbers, Social Security numbers, and addresses.”
What do all these incidents have in common? Unpatched systems—which expose weaknesses that can be exploited by cybercriminals. If you still need convincing that unpatched systems pose a massive threat, consider these stats from a recent Ponemon Institute study that surveyed nearly 3,000 IT professionals worldwide on their patching practices.
- 50% of organizations say they were hit with one or more data breaches in the past two years
- 34% say they knew their systems were vulnerable prior to the attack
So, how can you avoid becoming the next Atlanta, Ukraine, or Equifax? Here’s my advice:
1. Scan your systems.
Credit unions should have an ongoing process in place to scan all of their infrastructure, both internal and external systems, to determine where they are most vulnerable. There are several tools and services you can use for this:
- Shodan IO is a search engine for Internet-connected devices that scans continuously for vulnerable systems and publishes what it finds. There are free and paid versions.
- Rapid7 is a company that provides vulnerability assessments, as does WhiteHat Security.
- Nmap is a free and open-source utility for network discovery and security auditing.
Keep in mind that it’s not only good guys using these systems. Bad guys are too, finding vulnerabilities that they can exploit!
2. Analyze the data.
Once your scans are complete, you’ll need to analyze the data to determine where you are most vulnerable and exposed—and then check Twitter to see if that particular vulnerability is being exploited in the wild. I follow a large number of security researchers on Twitter to keep up with current tactics, techniques, and procedures (TTPs).
3. Start patching.
If you find vulnerabilities, you have to get the systems patched as soon as possible. In fact, the longer a credit union waits to patch a system, the more vulnerable it becomes. You should shoot for getting everything patched within 90 days. That can be hard, especially if you have a fairly large organization with lots of endpoints and servers.
You may have to cherry-pick and prioritize—and the first order of business is always going to be your public assets. From there, you can work your way inside to the critical systems in your internal infrastructure. In the cloud world, you may not have a lot of internal systems, but if a bad guy gets ahold of an endpoint that has access to a critical system in the cloud, you’re in trouble. So keeping the endpoints patched and up to date is incredibly important.
4. Follow your standards and frameworks.
Everything I’ve said regarding human firewalls and patching systems is based on the Center for Internet Security (CIS) controls that provide prioritized cybersecurity best practices. You can join CIS for free and gain access to a number of high-quality documents that will help to harden your network and systems. Using these resources as a starting point can save you a lot of headaches and hassles—and you’ll be in better shape if the bad guys strike.