Posts

The Power of Patching: Why Updating Your Software Should Be a Top Priority

In the 2022 SonicWall Cyber Threat Report, we reported CISA’s top 10 list of most exploited vulnerabilities. The remarkable thing about this list, however, was less the vulnerabilities themselves, and more what it said about the current state of IT: Of the top 10 most exploited vulnerabilities, all of which had patches readily available, only two had been identified that year — the rest were all more than a year old, and in some cases, several years old.

SonicWall’s own threat intelligence echoed these findings, with a number of even older vulnerabilities still being actively exploited, including CVE-2013-3541, CVE-2016-1605, CVE-2014-6036 and many more.

Even more baffling (especially considering how devastating and highly publicized it was), SonicWall was still observing instances of WannaCry being exploited in the wild in 2021. And this wasn’t a few isolated cases here or a dozen there, either: SonicWall observed more than 100,000 instances of WannaCry last year alone, despite the fact that the EternalBlue vulnerability was patched nearly five years before.

Who’s Patching—and Who Isn’t
Patching remains one of the lowest-cost, highest-impact cybersecurity practices for both organizations and individuals. Unfortunately, while most realize the dangers posed by unpatched vulnerabilities — a recent report from Gartner showed more people rated vulnerabilities as “very important” than did ransomware — research shows that many still aren’t making it a priority.

In the 2022 SonicWall Threat Mindset Survey, 78% of those surveyed reported they don’t patch critical vulnerabilities within 24 hours of patch availability, and 12% only apply critical patches when they get around to it.

These organizations may think that the risk of attack is small, but the numbers don’t lie: In the first half of 2022, the number of malicious intrusions recorded by SonicWall totaled 5.7 billion. While some of these were zero-day vulnerabilities that hadn’t yet been patched or widely publicized, the vast majority of exploited vulnerabilities are ones that have been both published and patched — making virtually all attacks targeting these vulnerabilities completely preventable.

And these tendencies are also exploited by cybercriminals. As soon as a vulnerability is publicized, attackers get to work crafting malware to take advantage of it, knowing many companies are slow to patch. As a result, application vulnerabilities continue to be the most common method of external attack, and patching is frequently what separates targets from victims. According to Ponemon Institute research, 57% of cyberattack victims say their breach could have been prevented by installing an available patch, and 34% of those victims said they knew about the vulnerability, but hadn’t acted to prevent it.

The Benefits of Patching
Stopping attacks like this is the most critical benefit of installing updates, but it isn’t the only one. Some updates also deliver new features and functionality, including bug fixes that can provide improvements to the user experience. Patching can also allow software to work with the latest hardware, prolonging the life of your investment.

But patching can also help you maintain compliance and avoid fines. For example, after the discovery of the Log4j/Log4Shell vulnerabilities, the U.S. Federal Trade Commission issued guidance stating that failure to take reasonable mitigation steps (read: patching), “implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act.” The Commission went on to warn that it “intends to use its full legal authority to pursue companies that fail to take responsible steps to protect consumer data from exposure as a result of Log4j.”

(These aren’t just empty threats: After the Equifax breach in 2017, the company reached a settlement of $575 million over data theft affecting as many as 147.9 million people. The compromise occurred due to the exploitation of a vulnerability that had been patched by the vendor, but not applied by Equifax.)

Patching Best Practices
While people give a few reasons for not patching promptly, such as a complex network of dependencies, a lack of time and a desire to avoid downtime, it’s worth stating that in the event of an attack, each of these factors will be multiplied. However, they can also be mitigated with the application of a few patching best practices:

  • Create an inventory of your systems, including software and hardware. You can’t patch what you don’t know you have.
  • Move toward standardization — the fewer versions of a given OS, software, etc., you have running, the easier patching becomes.
  • Institute a standardized patch management policy. This should include a plan for regularly applying less-critical patches, as well as procedures and timelines for emergency patching.
  • Develop a prioritization strategy. In a perfect world, all patches would be applied instantaneously, but this isn’t realistic in today’s world of 24×7 business and stretched IT staff. Effective prioritization will ensure the vulnerabilities that are most critical and most widespread in your organization will be addressed first.
  • Follow the National Vulnerability Database, know your vendors’ patch schedules, and sign up for notifications to ensure you’re informed about critical vulnerabilities. You can’t apply patches you don’t know exist.
  • Perform routine audits to ensure all devices have critical patches in place.
  • Test each patch carefully to ensure a patch doesn’t “break” anything in your environment, and roll out patches in batches to ensure any problems that slipped under the radar during testing affect as few systems as possible.
  • Ensure employees know what they’re responsible for keeping updated and the timelines within which they’re expected to apply updates.
  • Consider patch management tools to help automate the update process

While there is some additional time and effort involved in setting up a patching best practice, if it’s maintained properly, it will only need to be done once — and it could save your organization millions. However, patching isn’t a panacea: If password hygiene isn’t up to the task, cybercriminals will have no problem accessing your network, as we’ll discuss in next week’s Cybersecurity Awareness Month blog.

National Cybersecurity Awareness Month Spotlights the Role of Individuals in Stopping Attacks

If you were to poll a group of individuals at random about whether they have a role in cybersecurity, you’d probably get answers like, “No, I’m an attorney,” or “Actually, I work in education.” That’s because many people imagine cybersecurity in terms of solutions, brands or organizations.

But cybersecurity reaches far beyond what we consider the “cybersecurity industry.” It’s a goal, and the more of us who work toward it, the greater chance we all have of being successful. That’s why, this National Cybersecurity Awareness Month, SonicWall is joining the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA) to encourage you to “See Yourself in Cyber” by offering tips, best practices and more.

“We’ve all come to understand that sound protection includes people as the most important pillar of a sound cybersecurity strategy,” said SonicWall Executive Vice President and CMO Geoff Blaine. “An organization cannot be secure until the entire workforce is engaged in reducing cyber risks. Each member of the group has the power to harm or help, since each one has access to information and systems, handles sensitive data, and makes decisions every day that could maintain, erode or strengthen the human ‘attack surface’ of the organization.”

As National Cybersecurity Awareness Month Champions, SonicWall’s experts will spend the next month exploring ways to help organizations and individuals protect their information and secure their systems and devices. We’ll explore several topics in depth:

  • Think Before You Click
    If a link looks a little off, it could be an attempt to get sensitive information or install malware.
  • Update Your Software
    If you see a software update notification, act promptly. Better yet, turn on automatic updates.
  • Use Strong Passwords
    Passwords should be long, unique and randomly generated. Use password managers to generate and remember different, complex passwords for each of your accounts.
  • Enable Multi-Factor Authentication
    Protecting your online accounts requires more than just passwords. Enabling MFA makes you significantly less likely to get hacked.

For anyone who doubts one person can make a difference in securing against cyberattacks, consider this:

  • 95% of cybersecurity incidents occur due to human error[1]
  • 91% of cyberattacks start with someone opening a phishing email[2]
  • 64% of people are still using a password exposed in one breach for other accounts[3]
  • 58% of businesses reported a Business Email Compromise (BEC) attack in which an employee was successfully tricked, and sent or attempted to send funds to an attacker. [4]

Important steps can be taken to strengthen cybersecurity at the industry level, as well. By putting operational collaboration into practice, working together to share information in real time, and reducing risk and building resilience from the start, we can work together to protect our critical infrastructure and the systems we rely on every day.

And for individuals looking to play an even bigger role in the outcome of America’s security future, there is an opportunity to See Yourself as a cybersecurity employee. An estimated 714,548 cybersecurity jobs are currently unfilled, compared with 1,091,575 individuals currently employed in cybersecurity[5] — in other words, for every three people you know who work in cybersecurity, there are two positions open. As we move toward building a more cybersecurity-aware nation, we’d like to highlight the opportunities available for dedicated defenders to help build a bigger and more diverse workforce dedicated to solving the problems facing our country now and in the future.

“Moving the needle on cybersecurity awareness requires a collective approach,” said Lisa Plaggemier, the NCA’s executive director. “Businesses, nonprofits and governments all have a role to play in helping to up-level preparedness for cyber threats.”

About NCSAM

National Cybersecurity Awareness Month was launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) in October 2004 as a broad effort to help all Americans stay safer and more secure online. Following wide success of the ‘Our Shared Responsibility’ theme in years past, CISA and NCSA have shifted strategic focus to a message that promotes personal accountability.

To learn more about NCSAM, please visit StaySafeOnline.org.

 

[1] https://cybernews.com/editorial/world-economic-forum-finds-that-95-of-cybersecurity-incidents-occur-due-to-human-error/

[2] https://www.darkreading.com/endpoint/91-of-cyberattacks-start-with-a-phishing-email

[3] https://www.zdnet.com/article/were-all-still-using-the-same-passwords-even-after-theyve-been-breached/

[4] “How to Deal with Business Email Compromise,” Osterman Research White Paper, January 2022

[5] https://www.nist.gov/system/files/documents/2022/07/06/NICE%20FactSheet_Workforce%20Demand_Final_20211202.pdf

Bypassing Government Security Controls with Customized Malware

For a moment, think from the perspective of someone who wants to hack a government organization. Think of what they want to do. Seize critical records, encrypt the drive and hold it for ransom? Convert part of a resource into a cryptocurrency mining operation? Or, worse yet, attempt to disrupt or take down critical infrastructure (e.g., utilities, transportation systems, defense)?

As we explore the final theme of National Cybersecurity Awareness Month, “Safeguarding the Nation’s Critical Infrastructure,” I thought it would be valuable to go to a reliable source.

To get a better perspective of threats to critical infrastructure I interviewed a skilled hacker. This is his plan.

Recon & Recode

First, he said he would do reconnaissance on the organization to look for potential vulnerabilities. Makes sense.

But his next step is concerning. He’d take a form of malware he’d used before — or another they find for sale in an exploit kit designed to abuse a vulnerability — and customize it for that specific organization. Customization can be as simple as making a few cosmetic changes to the code or changing the programing to do something slightly different based on previous failed attempts.

This step is important. The new batch of code hasn’t been registered with any firewall vendor, antivirus vendor, security researcher, etc. The targeted organization can’t stop it if their security controls don’t have the ability to conduct behavioral code analysis with zero-day code detonation.

Furthermore, if someone wants to take it to the next level, this code should arrive via an encrypted channel in the hopes they don’t do Man-in-the-Middle (MITM) inspection of HTTPS traffic.  This can be delivered simply over social media or webmail.

Payload Delivery

Now it’s time for everyone’s favorite part: payload delivery. At the time of writing, I am looking at a publicly accessible online sales lead-generation database. At anyone’s fingertips are millions of names and email addresses for contacts at airlines, retailers to higher education. The malicious hacker can easily download 5,886 contacts from a state transportation department or 4,142 from a previously attacked Canadian agency.

If he wants, he could send an infected attachment asking some 526 contacts from a Singapore government agency to open it, or bait 2,839 faceless people at an unnamed health department to click on his malicious link.

Despite awareness training and efforts to keep systems up to date and patched, 11 percent of people will open the attachment according to a Verizon study. Within this population, there will be systems that he can infect and use as a launching point to get his malware to a target system — or at least give him backdoor access or a harvested credential to start working manually.

A hacker selects contacts for a phishing scam against an American county department of education.

How to Defend Against Customized Malware

This method is very similar to what we are seeing happen every day. Customized malware is the main reason why SonicWall discovered and stopped over 56 million new forms of malware in 2017.

In a government organization equipped with SonicWall technology, the email may first be stopped by email security based on the domain or other structures of the message, but you can’t take it for granted.

If the malware is delivered via attachment, SonicWall secure email technology can test the file in the Capture ATP cloud sandbox to understand what the file wants to do. SonicWall Email Security can also leverage Capture ATP to scan malicious URLs embedded in phishing attacks.

To learn more about this technology, read “Inside the Cloud Sandbox: How Capture Advanced Threat Protection (ATP) Works” and review the graphic below.

Protecting Endpoints Beyond the Firewall

But what about employees not behind the firewall? What if the malware is encrypted and the administrator did not activate the ability to inspect encrypted traffic (DPI-SSL)? What about an infected domain that servers fileless malware through an infected ad?

The answer to that is SonicWall Capture Client, a behavior-based endpoint security solution. The traditional antivirus (AV) that comes free with computers (e.g., Norton, TrendMicro, McAfee, etc.) is still around, but they only check files that are known to be malicious.

In an era of customized malware and creative distribution techniques, it is nearly obsolete. This is why government organizations in all countries favor using behavior-based antivirus called a number of things like Endpoint Protection Platforms (EPP) or Next-Generation Antivirus (NGAV).

These forms of AV look at what is happening on the system for malicious behavior, which is great against customized malware, fileless malware and infected USB sticks. NGAV solutions don’t require frequent signature updates and know how to look for bad activity and can shut it down, in many cases, before it executes.

In the case of SonicWall Capture Client, it can not only stop things before they happen, but also roll back Windows systems to a known good state if the endpoint is compromised. This is extremely helpful with ransomware since you can restore encrypted files and continue on as if the infection never happened. Also, like I mentioned above, Capture Client also makes use of Capture ATP in order to find and eliminate malware that is waiting to execute.

Ultimately, by using the SonicWall Capture Cloud Platform, government agencies and offices around the world are protected against the onslaught of new malware, which is often designed to penetrate their systems. For more information on what we do and or conduct a risk-free proof of concept in your environment, please contact us at sales@SonicWall.com or read this solution brief.


About Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) highlights user awareness among consumers, students/academia and business. NCSAM 2018 addresses specific challenges and identifies opportunities for behavioral change. It aims to remind everyone that protecting the internet is “Our Shared Responsibility.”

In addition, NCSAM 2018 will shine a spotlight on the critical need to build a strong, cyber secure workforce to help ensure families, communities, businesses and the country’s infrastructure are better protected through four key themes:

  • Oct. 1-5: Make Your Home a Haven for Online Safety
  • Oct. 8-12: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
  • Oct. 15-19: It’s Everyone’s Job to Ensure Online Safety at Work
  • Oct. 22-26: Safeguarding the Nation’s Critical Infrastructure

Learn more at StaySafeOnline.org.