Updates, updates – hares and tortoises in the software vulnerability race

To penetrate a target organisation’s IT systems hackers often make use of vulnerabilities in application and/or infrastructure software. Quocirca research published in 2015 (sponsored by Trend Micro) shows that scanning for software vulnerabilities is a high priority for European organisations in the on-going battle against cybercrime.

Scanning is just one way of identifying vulnerabilities and is of particular importance for software developed in-house. For off-the-shelf software, news of newly discovered vulnerabilities often comes via the suppliers of commercial packages or, in the case of open source software, from some part of the community. This also applies to components embedded in in-house developed software, such as the high profile Heartbleed vulnerability that was identified in OpenSSL in 2014.

Software flaws come to the attention of vendors in three main ways. First, an organisation using the software may discover a problem and report it, perhaps having had the misfortune to be an early victim of an exploited vulnerability (when this turns out to be the very first use of an exploit it is termed a zero-day attack). Second, a flaw may be reported by a bug bounty hunter or third, a vendor may find a flaw itself. Regardless of who discovers a vulnerability, users need to be made aware and once the news is out there, a race is on.

Software vendors need to provide a patch as soon as possible and will aim to keep publicity to a minimum in the interim whilst the fix is prepared. Meanwhile, any sniff of a vulnerability and hackers will work at hare-speed to see if it can be exploited, either for their own ends or to sell on as an exploit kit on the dark web. All too often the tortoises in this race are end user organisations that are too slow to become aware of flaws and apply patches, thus extending the window of opportunity for hackers.

In principle this should not be the case. Most reputable software vendors have well-oiled routines for getting software updates to their customers, for example Microsoft’s Patch Tuesday. However, the reality is not that simple.

For a start, applying updates is disruptive. In an age where 24-hour, 7-day application availability is required, taking applications down for maintenance can be unacceptable to businesses. Also, as more organisations move to dynamic DevOps-style application development and deployment, software is fast changing and keeping tabs on all applications and components can be tricky. Software patching methods have had to adapt accordingly.

Then there is the problem of legacy software. Older applications are increasingly being targeted by hackers because the patching regimes are lax. This applies both to software from vendors that have disappeared through long forgotten acquisitions or have gone out of business. All too often their software still sits at the core of business processes. It also applies to old versions of software from vendors that have made it clear that said software is no longer supported and will not be updated. For example, many of Microsoft’s older server and desktop operating systems remain in use despite repeated prompts to move to more recent versions; the upgrade proving to be too expensive or complicated.

There are many ways to mitigate all these problems. However, wherever possible the primary way should be to keep software up to date; as one chief information security officer (CISO) put it to Quocirca recently, ‘vulnerability management is the cornerstone of our IT security’. That responsibility can be sourced either through the use of managed security service providers (MSSP) or through the use of cloud services that are responsible for keeping their own software up to date.

There will be advice from CISOs from some leading organisations in the frontline in the fight against cybercrime at Infosec Europe this year. These include Network Rail, The National Trust and Live Nation’s Ticketmaster; all are highly dependent on their online infrastructure and see keeping their software up to date as critical. Quocirca will be chairing the panel at 16:30 on June 7th; more detail can be found at the following link Updates, Updates, Updates! Getting the Basics Right for Resilient Security.