Cyber Defense, October 10, 2017; Willy Leichter contributes article to eMagazine
While Patching Is Best Practices Approach, Some Organizations Have Complex Reasons for Delaying
In our new reality of a new hack every week, if not every day, it’s easy to want to find someone to blame. An easy place to point a finger is those companies who haven’t implemented the latest patch that surely would have prevented the theft of millions, if not billions, of user records. It is sometimes true that companies neglect to implement patches out of negligence or lack of due diligence. But often, it’s a much more complex – and perhaps understandable – set of reasons behind an intentional decision to bypass available security patches.
Applying patches are arguably the right and best-practices approach to take. But for some organizations using older equipment, especially in industries where downtime is untenable – such as transportation or healthcare – such a labor intensive and disruptive process is not a welcome or even possible choice to make, especially given the frequent and repeated basis that patches are released.
For instance, the WannaCry attack took advantage of the Windows SMBv1 vulnerability that affected millions of Windows XP systems. These “retired” systems are still being used to run millions of mission-critical applications every day but their legacy status makes patching a difficult and potentially expensive and operations-impacting process. So some companies weighing the decision opt to take a chance on avoiding a possible breach issue in favor of facing the known issues involved with patching.
It’s a calculated risk and for some, an ill-fated decision in hindsight if they’ve been hacked by Wannacry or other similar ransomware exploits already or if they will be in the near future. The problem is certainly not going away. Especially when considering skipping patches isn’t the only threat. Zero-day exploits are a threat to every organization and all systems at all times.
So what can organizations do to protect themselves? Surely there’s a better way, especially that are stats in winning this war against hacks have been pretty dismal in recent months. In his Cyber Defense eMagazine article “Patching the Iron Tail Is Easier Said than Done,” Willy Leicher, vice president of marketing for Virsec Systems, a San Jose cybersecurity firm, provides insights and answers for companies facing this significant dilemma.