Page 74 - Cyber Defense eMagazine - September 2017
P. 74

How Much Really Gets Patched?

               According to  the  2017 Verizon  Data  Breach  Investigation  Report,  within  30  days  of finding  a
               new  vulnerability  the  average  enterprise  will  have  patched  fewer  than  40%  of  the  systems
               affected. Within 100 days, the average only goes up to about 75%. Effectively, this leaves a
               huge window of exposure, with a significant long tail that may never get patched. And these
               figures don’t account for vulnerabilities that have not yet been discovered, or zero-day exploits
               that bypass security controls entirely.

               These  numbers  also  don’t  reflect  more  complex  environments  with  entangled  dependencies
               between  systems,  where  a  patch  to  one  system  might  cause  significant  ripples  of  disruption
               downstream. In the ICS industry, estimates of the average time to patch systems is around 120
               days, although exact numbers are hard to find. These numbers are sobering for an industry that
               manages complex systems for critical infrastructure such as power plants – a growing target for
               cyberattacks.

               Another  disconnect  is  that  most  automated  patching  is  focused  on  end-user  devices,  while
               business critical servers often get left behind. As Gartner states, “organizations have had good
               success patching endpoints, but successfully patching servers and applications has been much
               more elusive.”

               Who Wants to Rule the Iron Tail?

               The Iron Tail may sound like a location in Game of Thrones, but it refers to a major challenge
               that  many  industries  face,  running  a  wide  range  of  applications,  connected  to  a  long  line  of
               industrial controls that have been assembled over decades. The challenges of applying timely
               patches to this long iron tail of legacy apps can be daunting for a number reasons:

                   •  Many  critical  control  systems  require  100%  uptime.  Simply  rebooting  an  app  is
                       problematic,  especially  if  it’s  connected  to  a  nuclear  power  plant,  or  electrical  grid.
                       Installing, validating, and testing system updates for unpredictable periods of time can
                       be a non-starter.
                   •  Security for older systems often depended on an “air gap” from the outside world. While
                       security-by-isolation  was  easy  in  the  70’s,  it’s  less  practical  now.  Today’s  air-gapped
                       systems can’t be automatically patched or receive virus signature updates, and even the
                       most isolated system is usually only a desktop away from a connected, and potentially
                       malicious insider.
                   •  Older apps often run on operating systems that are out-of-date or no longer get patched.
                       Many critical functions are run on platforms than may be 20 to 30 years old, and basic
                       compatibility between modern 64-bit systems, and older 32- or 16-bit applications can be
                       very problematic.
                   •  Legacy  apps  often  were  created  by  staff  no  longer  there,  using  tools  no  longer
                       supported. “If it ain’t broke” there is a strong incentive not to touch older purpose-built
                       applications. Just keep your fingers crossed and hope for the best…






                    74   Cyber Defense eMagazine – September 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   69   70   71   72   73   74   75   76   77   78   79