/ InfoSec

Patch All The Things

In this post, I'll argue the case for ensuring that as much as is physically possible, systems and underlying platforms and infrastructure are kept as up to date as possible.

We hear a lot about high profile data breaches being the result of "sophisticated attacks", somehow carried out by determined, talented hackers with capabilities that most nation states would literally kill for. The reality is quite different.

Large organisations making statements like that above, for me, are simply making a wafer thin effort to divert attention away from the fact that their own security posture is less than ideal.

Here are some examples:

TalkTalk

In October 2015, TalkTalk, a UK based communications provider suffered a significant data breach, resulting in the loss of roughly 160,000 customer records containing personal data (names, addresses, dates of birth, email addresses etc). To compound the problem, there were also around 16,000 bank account details stolen. I won't go into what could be done with this data, as most people reading this post will get that.

TalkTalk was subsequently fined £400K by the UK's Information Commissioner, but its overall financial and reputational losses went much further.

The reason that attackers were able to access this data was down to the fact that web applications operated by Tiscali (who TalkTalk had acquired) were running out of date software. The attacker simply scanned these applications for vulnerabilities, discovered some and then exploited them using SQL injection.

TalkTalk defended itself, claiming not to have known about the vulnerabilities in question, but that kind of missed the point. Large organisations (or any organisations!) that are processing personal data have an obligation (both legally and morally) to proactively and regularly assess their business systems to ensure that they are not vulnerable to exploit, or fix them if they are.

In this case, TalkTalk didn't assess their systems, didn't patch them and consequently had a bunch of data stolen. It hurt them badly. If the GDPR had been in force when the breach occurred, the fine meted out by the ICO could have been possibly far higher than £400K. It could have been up to £72M, based on their annual global revenue in 2015.

TalkTalk had received several warnings on the back of prior attacks that year, however did little to prevent the one that really hit the news.

The bottom line is that TalkTalk had a responsibility to secure its systems, it didn't and paid heavily for it as a result. Had it patched these vulnerable systems, then this would never have been a story.

Oh, and the attacker? A 16 year old boy from Northern Ireland. The attack was far from "sophisticated".

Equifax

In September 2017, Equifax finally revealed that it had been the victim of a significant data breach, where the personal records of some 145 million US individuals had been stolen, along with roughly 400 thousand UK and 8000 Canadian folks.

This of course was monster news globally. Aside from the dreadful manner in which Equifax conducted itself post-breach (that's been well documented elsewhere), the key reason why this attack was so effective was that the systems the firm used were running on an out of date underlying platform. In this case Apache Struts.

The Apache Struts vulnerabilities that the company fell foul of were known and patches had been available for a considerable length of time. Equifax just didn't apply them.

On the back of this breach, there was plenty of debate (some heated) about who was to blame. Heads rolled, people (wrongly) questioned the credentials of chief officers and weighed in heavily to make the case that patching is hard. I'll come on to this shortly.

The bottom line here was that a globally recognised organisation had lost a tonne of personal data, handled the problem appallingly and above all else failed to prevent it from happening in the first place.

Because it was preventable, and similarly to TalkTalk, Equifax had suffered a number of breaches earlier in the same year, yet had apparently done little or nothing to mitigate future ones.

There has been plenty of speculation as to who was behind the attack on Equifax, but to date no culprit has been confirmed. Personally, I think it's of little consequence, as again, blaming specific threat groups is often used by firms to divert attention from the main issue, i.e. the attack would have failed had they carried out the diligence they're responsible for.

Patching is hard

Many a worthy pursuit is not without its challenges. Keeping software and platforms up to date is as worthy as any, especially if your pursuit is protecting people's identities and safeguarding their interests generally.

Patching is hard and I get that, but that shouldn't undermine its importance or justify neglecting it. It's not an excuse.

If web application developers or system operators are not patching because it's too hard, then there's a serious schism or basic communication failure between those guys and the people who have to go on the news to explain how and why the personal data has all gone. Just before they empty their desks and 'retire'.

If patching isn't done because it's too hard, then the consequences of not patching simply aren't getting enough airplay in the board room. If they are and still nothing gets done, then firms deserve everything they get, because you've got the wrong people in the board room.

Conclusion

Assessing the risk comes first, covering the likelihood, severity and potential consequences. If the consequences even vaguely look like massive fines, reputational devastation, company closure or even criminal proceedings, then the board is in dereliction of its duty not to direct its technical people to patch all the things.

If the signal examples of what happened to both TalkTalk and Equifax (and the rest!) don't serve to open eyes and ears at C-level in most firms, then nothing will. Couple this with the potential monetary penalties looming once the GDPR kicks in and complacent organisations will no longer have a leg to stand on, claiming "we didn't know about it" or that "patching is hard".

Patching might be hard, however life after a breach as a result of not patching could be harder than many can survive.

Thanks for reading.

Mike Thompson

Mike Thompson

InfoSec pro, trying to keep the baddies at bay. Observer, pundit, helper, public speaker and blogger. Views my own. One of @TheBeerFarmers 🍻

Read More