In the 2022 SonicWall Cyber Threat Report, we reported CISA’s top 10 list of most exploited vulnerabilities. The remarkable thing about this list, however, was less the vulnerabilities themselves, and more what it said about the current state of IT: Of the top 10 most exploited vulnerabilities, all of which had patches readily available, only two had been identified that year — the rest were all more than a year old, and in some cases, several years old.
SonicWall’s own threat intelligence echoed these findings, with a number of even older vulnerabilities still being actively exploited, including CVE-2013-3541, CVE-2016-1605, CVE-2014-6036 and many more.
Even more baffling (especially considering how devastating and highly publicized it was), SonicWall was still observing instances of WannaCry being exploited in the wild in 2021. And this wasn’t a few isolated cases here or a dozen there, either: SonicWall observed more than 100,000 instances of WannaCry last year alone, despite the fact that the EternalBlue vulnerability was patched nearly five years before.
Who’s Patching—and Who Isn’t
Patching remains one of the lowest-cost, highest-impact cybersecurity practices for both organizations and individuals. Unfortunately, while most realize the dangers posed by unpatched vulnerabilities — a recent report from Gartner showed more people rated vulnerabilities as “very important” than did ransomware — research shows that many still aren’t making it a priority.
In the 2022 SonicWall Threat Mindset Survey, 78% of those surveyed reported they don’t patch critical vulnerabilities within 24 hours of patch availability, and 12% only apply critical patches when they get around to it.
These organizations may think that the risk of attack is small, but the numbers don’t lie: In the first half of 2022, the number of malicious intrusions recorded by SonicWall totaled 5.7 billion. While some of these were zero-day vulnerabilities that hadn’t yet been patched or widely publicized, the vast majority of exploited vulnerabilities are ones that have been both published and patched — making virtually all attacks targeting these vulnerabilities completely preventable.
And these tendencies are also exploited by cybercriminals. As soon as a vulnerability is publicized, attackers get to work crafting malware to take advantage of it, knowing many companies are slow to patch. As a result, application vulnerabilities continue to be the most common method of external attack, and patching is frequently what separates targets from victims. According to Ponemon Institute research, 57% of cyberattack victims say their breach could have been prevented by installing an available patch, and 34% of those victims said they knew about the vulnerability, but hadn’t acted to prevent it.
The Benefits of Patching
Stopping attacks like this is the most critical benefit of installing updates, but it isn’t the only one. Some updates also deliver new features and functionality, including bug fixes that can provide improvements to the user experience. Patching can also allow software to work with the latest hardware, prolonging the life of your investment.
But patching can also help you maintain compliance and avoid fines. For example, after the discovery of the Log4j/Log4Shell vulnerabilities, the U.S. Federal Trade Commission issued guidance stating that failure to take reasonable mitigation steps (read: patching), “implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act.” The Commission went on to warn that it “intends to use its full legal authority to pursue companies that fail to take responsible steps to protect consumer data from exposure as a result of Log4j.”
(These aren’t just empty threats: After the Equifax breach in 2017, the company reached a settlement of $575 million over data theft affecting as many as 147.9 million people. The compromise occurred due to the exploitation of a vulnerability that had been patched by the vendor, but not applied by Equifax.)
Patching Best Practices
While people give a few reasons for not patching promptly, such as a complex network of dependencies, a lack of time and a desire to avoid downtime, it’s worth stating that in the event of an attack, each of these factors will be multiplied. However, they can also be mitigated with the application of a few patching best practices:
- Create an inventory of your systems, including software and hardware. You can’t patch what you don’t know you have.
- Move toward standardization — the fewer versions of a given OS, software, etc., you have running, the easier patching becomes.
- Institute a standardized patch management policy. This should include a plan for regularly applying less-critical patches, as well as procedures and timelines for emergency patching.
- Develop a prioritization strategy. In a perfect world, all patches would be applied instantaneously, but this isn’t realistic in today’s world of 24×7 business and stretched IT staff. Effective prioritization will ensure the vulnerabilities that are most critical and most widespread in your organization will be addressed first.
- Follow the National Vulnerability Database, know your vendors’ patch schedules, and sign up for notifications to ensure you’re informed about critical vulnerabilities. You can’t apply patches you don’t know exist.
- Perform routine audits to ensure all devices have critical patches in place.
- Test each patch carefully to ensure a patch doesn’t “break” anything in your environment, and roll out patches in batches to ensure any problems that slipped under the radar during testing affect as few systems as possible.
- Ensure employees know what they’re responsible for keeping updated and the timelines within which they’re expected to apply updates.
- Consider patch management tools to help automate the update process
While there is some additional time and effort involved in setting up a patching best practice, if it’s maintained properly, it will only need to be done once — and it could save your organization millions. However, patching isn’t a panacea: If password hygiene isn’t up to the task, cybercriminals will have no problem accessing your network, as we’ll discuss in next week’s Cybersecurity Awareness Month blog.