I visited the annual Infosecurity Europe event last week along with some of my colleagues from OWA. As we have visited the event for several years now it is interesting to see what are the current and emerging topics and to see what we can learn and build into the development, hosting and support services we offer to our clients.
If you do nothing else – patch regularly and quickly
Since their launch last year I have been generally impressed by the information which the UK Government backed National Cyber Security Centre (NCSC) have produced. One of the talks we attended included Paul Chichester, who is the Director of Operations at the NCSC.
During the discussion we were reminded that the majority of threats which currently put our Web Applications and systems at risk have already been patched. The simple fact is that those involved in managing systems are not always on the ball when it comes to applying patches, which can leave systems wide open to exploitation. In fact some recent hacks have exploited vulnerabilities which were patched several years ago.
One of the other audience members raised the point that ‘Patching is hard’ and is the NCSC putting pressure on vendors to make the process easier. Patching is not an exciting part of most people’s jobs, but it has to be done properly and in a controlled way. It is important to also strike a balance between ensuring that a patch is stable (and isn’t going to break anything) and risk being compromised by the vulnerability.
How do I know when patches are available?
Unfortunately, there is no single source of information to find out what patches are available for hardware, operating systems, middleware and other associate components. The larger hardware and operating system providers such as Microsoft and Apple are generally good at alerting users when updates are available. Similarly, if you are using any middleware components, it is normally possible to subscribe to receive notifications of updates. Some of the harder items to keep patched can be the most vulnerable though.
The NCSC have recently published an advisory concerning Russian attackers targeting network infrastructure devices. These devices are typically exposed directly to the Internet so any vulnerabilities can be easy to exploit. These devices can also be some of the harder ones to patch. It is important to firstly find the correct source of patches, then ensuring that you are getting the correct patch for the version of hardware you have. A lot of manufacturers do not make this process easy either. Even once you have downloaded the correct update, applying it to the device is generally a clunky affair which involves extracting a file and uploading it via a web interface or sometimes a Telnet connection to the device.
It is easy to understand why users can easily put off applying patches, however if you do then these days, you will almost certainly suffer some form of breach or hack.
Magic box solutions
I’ll start by saying that there is no such thing (yet), as a device you can install which will protect all of your systems and applications from hackers – however wandering round the Exhibition Hall at Infosec, you could be lead to believe that there are. Don’t get me wrong, there are some devices which I regard as being essential in keeping hackers at bay, but I think that some vendors over sell their solutions which can leave some of their customers vulnerable.
I regard having a correctly provisioned firewall device as an essential item for any network whether that be a home or workplace. It is however important to have the device managed correctly, either by a knowledgeable member of your team, or outsourced to an organisation who understands the complexity of managing it. This is definitely an item you want to keep up to date and patched regularly as it is very much your first line of defence. That is probably why the Russians are currently targeting such devices.
Security protection as a service
If you are not able to confidently keep your systems and applications fully patched then you may want to consider outsourcing the responsibility to an organisation who can.
At OWA we develop, host and support applications and apps for our clients. We take responsibility for ensuring that our hardware platforms are patched and as part of our Monthly Security Protection service, we ensure that all vendor patches are applied once we are confident that they are stable. We also include the management of zero day exploits and ensure that these vulnerabilities are patched as soon as a fix is available.
Make patching an essential business task
Whether you decide to manage the patching of your systems and applications yourself or decide to outsource it, I can’t stress enough how important it is to make it an essential part of protecting your organisation. Hackers use bots to continually search for systems and applications which are vulnerable and many exploits are now carried out automatically. The image of the hacker wearing his hoody whilst navigating their way into systems is very outdated. The threat is now constant and we must all do what we need to do to protect ourselves – even if it is hard.