In the aftermath of one of the largest and most highly publicized data breaches to date in which Equifax exposed the personal data of 143 million people, the company confirmed that attackers were able to gain access to their systems through a known web-application vulnerability that had a patch available at least 2 months prior.
The Apache Struts web-application vulnerability was disclosed in March, along with instructions on how to patch any exposed systems, providing more than ample time to Equifax to update their systems before the attackers came knocking.
This massive breach should provide all organizations with more than enough reason to ensure their teams are patching vulnerabilities as soon as possible and securing all systems. Technology and hacking techniques are constantly changing, and even what appears to be the most secure software may eventually have a vulnerability discovered. Security patching allows vendors to add pieces of code to their applications that will remediate newly identified vulnerabilities and helps you protect your systems on an ongoing basis.
Unfortunately, as we saw with Equifax, many organizations don’t update their software and applications as often as they should. They might not be aware of the updates, they might believe it will take too much time, they fail to make it a priority, or they may be using outdated equipment that is unable to support new updates. However, none of these are acceptable excuses, and your organization cannot afford to ignore application updates.
Requirement 6.1 of the PCI DSS states that organizations must deploy critical patches within one month of release to maintain compliance; lower-rated patches can be applied within 2-3 months. Regardless of the patch rating, it is always better to apply patches as soon as possible.
As an organization you should define clear processes for monitoring and implementing patches for databases, operating systems, web browsers, firewalls, application software, and terminals. How are you being notified of new updates and patches? Are systems set to automatically check for and apply updates? Do you receive e-mail updates from software vendors? Are you monitoring industry sources, RSS feeds, newsgroups, etc. for security vulnerability information? Automating patch management as much as possible will help make this task more achievable.
When you do become aware of a new update or patch, it is important for you to analyze your systems and see if the update applies to your organization. Determine your plan for installing the patch and test the security patch before you implement it organization-wide to ensure all other systems are still performing properly after the patch is installed. This is where it is helpful to have standardized IT configurations, so you can test a sample of devices and assume the rest of those with that same configuration will react the same. Log all patches and system updates.
By implementing a defined process for patch management, your organization should be able to protect systems from known vulnerabilities and avoid an embarrassing misstep like Equifax. Your vulnerability management program should also include regular vulnerability scanning and penetration testing to help identify any security holes that may still need to be identified and remediated. Please contact us if you have questions about your vulnerability management program.
Some additional guidance from our Security Advisor team below:
[Wheeler]: The harsh reality is that as security professionals, we are playing whack-a-mole with vulnerabilities. New vulnerabilities are discovered, sometimes exploits are developed and released publicly very quickly, vendors release patches or updates, we apply them, then the cycle starts over. Although the PCI DSS allows for 30 days to patch critical vulnerabilities after the patch is released, in the real world, that is not quick enough. Attackers are ready to pounce immediately after (and sometimes before) a vulnerability is publicly disclosed. We need to patch AS SOON AS POSSIBLE. Don’t wait; test and apply.