Neglecting Vulnerabilities in Patch Management: A Perilous Decision Companies Take at Their Own Peril

Neglecting Vulnerabilities in Patch Management: A Perilous Decision Companies Take at Their Own Peril

In the ever-evolving digital landscape, organizations face a constant barrage of cyber threats. One such threat is the exploitation of software vulnerabilities, as seen in the recent utilization of the Log4Shell vulnerability by various malicious actors.

Ransomware gang CL0P has been using the MoveIT vulnerabilities to breach thousands of organizations, sparking speculation that they may have lost control of the hack due to its sheer size. Meanwhile, the Log4Shell vulnerability, discovered two years ago, continues to pose a threat to nearly 4,000 organizations, according to Veracode analysis in December.

The flaw in Log4J is attractive to attackers partly due to how easily it can be exploited. State-backed groups linked to Log4Shell exploits include China-based APT41 and Iranian state-backed hackers. The vulnerability has been used by ransomware operators, cryptocurrency miners, and nation-state adversaries.

To combat these threats, organizations can effectively manage software vulnerabilities and minimize the risk of successful attacks by implementing a comprehensive vulnerability management program. Here are eight key steps to follow:

1. Regular and Automated Scanning: Continuously and automatically scan IT assets using agent-based or network-based tools integrated with up-to-date vulnerability databases. Schedule scans regularly and conduct real-time scans for critical assets to detect vulnerabilities promptly.
2. Risk Prioritization: Classify vulnerabilities by severity levels using standard scores like CVSS, exploit prevalence data, asset criticality, and business impact. This helps focus remediation efforts on vulnerabilities that pose the greatest threat or are actively exploited, avoiding wastage of resources on low-risk issues.
3. Patch Management Integration: Link vulnerability scanning tools with automated patch management systems to ensure timely deployment of fixes. Patches should be tested for compatibility and security in development or QA environments before production rollout to avoid disruptions.
4. Exception Handling and Temporary Mitigations: For vulnerabilities that cannot be patched immediately, document exceptions and implement temporary controls such as firewall rules, network segmentation, or configuration changes to reduce exposure. Track these until a permanent fix is possible.
5. Verification and Continuous Monitoring: Rescan systems after remediation to confirm vulnerabilities are fixed and generate reports on progress and outstanding high-risk issues. Maintain continuous monitoring for new vulnerabilities and modification in the threat landscape to react quickly.
6. Incident Response Planning: Despite proactive measures, some vulnerabilities may be exploited before patches are applied. Have a robust incident response plan to contain breaches, investigate causes, remediate damage, and leverage threat intelligence to prevent recurrence.
7. Employee Training and Awareness: Train staff regularly on cybersecurity best practices such as phishing awareness, password hygiene, and safe browsing, reducing the likelihood of successful social engineering or exploitation of vulnerabilities.
8. Compliance and Auditing: Align vulnerability management efforts with relevant compliance frameworks by conducting internal audits and reporting to meet regulatory requirements, which also supports continuous program improvement.

By integrating these practices into a structured workflow—identifying assets, scanning, prioritizing risks, patching, mitigating, verifying, and monitoring—organizations can efficiently reduce vulnerability exposure, prioritize the most critical fixes, and apply them timely to minimize the risk of cyberattacks.

It's crucial to remember that the number of vulnerabilities being discovered and fixed is growing annually, making it a constant challenge for firms to keep their patch management in line with security announcements from vendors. Experts advise a pragmatic approach focused on the most-exploited vulnerabilities, such as those in CISA's Known Exploited Vulnerabilities Catalog and vulnerabilities with publicly available exploits.

Moreover, many small enterprises, especially in the manufacturing sector, are using unsupported technology running on legacy hardware and software, and outdated operating systems. Ross Higgins suggests setting up patching alerts from solution vendors to monitor the rollout of patches to an organization's systems. John Allison suggests patching before deploying new code into production to reduce the number of vulnerabilities in production.

Grillo advises ensuring asset management is in place with a clear understanding of assets and their vulnerabilities, including applications and their dependencies. He recommends implementing a strategy and plan for patch management, often setting a monthly routine to match updates from key vendors. Grillo also suggests using vulnerability scanning tools that include links to sources that continually update known vulnerabilities, such as CISA's KEV, National Vulnerability Database, Vulnerability Database (VULDB), and CVE Details. Prioritization and testing are crucial, ensuring critical assets are patched first and the fixes are tested to ensure they will not cause issues in production.

In conclusion, a robust vulnerability management program is essential for organizations to protect themselves against cyber threats. By following these key steps and staying vigilant, businesses can significantly reduce their risk of falling victim to cyberattacks.

1. The cybersecurity industry is witnessing a steady growth of discovered and fixed vulnerabilities each year, posing a challenge for firms to keep their patch management in sync with security announcements from vendors.
2. In light of the Log4Shell vulnerability that continues to threaten nearly 4,000 organizations, companies should implement a comprehensive vulnerability management program, prioritizing patches for the most-exploited vulnerabilities listed in the CISA's Known Exploited Vulnerabilities Catalog.
3. To protect personal-finance data and assets from cyber threats, businesses must focus on data-and-cloud-computing technology and employ best practices such as regular and automated scanning, risk prioritization, patch management integration, incident response planning, employee training, and compliance auditing.

Read also: