How Long Does It Take to Implement a Patch?
Recent breaches of the IT infrastructure of many types of organisation’s has raised serious questions about whether boards of directors and senior management are asking the right questions about actions their organisations? What steps are the management taking to protect themselves from cyber threats.
Are boards probing to discover what they don’t know?
Equifax announced a massive breach exposing the personal information of over 40 percent of the U.S. population. The company’s stock declined almost 14 percent after the announcement, and heads rolled over the ensuing three weeks — first the CIO and CISO and then the CEO. The pervasive headline effect of this incident has been as persistent as any in memory. Everyone concerned about cyberthreats is talking about it. Equifax is not just another organisation that was breached. It was named one of Forbes’ “World’s 100 Most Innovative Companies” from 2015 to 2017. So, what happened?
On July 29, 2017, the company’s security team noted suspicious network traffic associated with its U.S. online dispute portal web application. In response, the team investigated and blocked the suspicious traffic. Upon observing additional suspicious activity the following day, the company took the affected web application offline. An internal review discovered a vulnerability in the open source web application framework at the point of attack, a vulnerability previously identified and disclosed by US-CERT (a cybersecurity arm of the U.S. Department of Homeland Security) in early March 2017. Based on the company’s investigation, it is believed that the unauthorised access to certain files containing personal information — names, Social Security numbers, birthdates, addresses and some driver’s license numbers — occurred from May 13 through July 30; therefore, the security flaw had been identified a full two months before hackers exploited it to gain access to sensitive data. The company has since patched the affected web application and brought it back online.
This incident raises a question as to why the company didn’t apply the appropriate patch to its systems when the vulnerability was first identified. To be fair, other companies have suffered a cyber event because they failed to implement a patch timely, and we have no insights into the unique circumstances at Equifax. But, for boards and executive teams everywhere, this episode serves as a stark reminder of the importance of understanding the company’s cybersecurity strategy and tactics to pinpoint whether they know what they need to know.
There are many important aspects regarding cybersecurity — identifying the “crown jewels” and business outcomes management seeks to avoid, understanding the ever-changing threat landscape and having in place an effective incident response program, to name a few. But this discussion is more specifically about the systems vulnerabilities we know about. That’s the elephant in the room and who is knowledgeable about these issues, how to handle them, to identify them and monitor. Finally, who is responsible for ensuring that patches occur and are verified as been implemented?
The sage advice — if your flank is exposed, fortify it before you get overrun — seems to apply here. Even non-combatants understand the value of protecting exposed flanks in desperate battle. A known vulnerability is most certainly an exposed flank, particularly when sensitive data is involved.
A patch is a software update installed into an existing program to fix new security vulnerabilities and bugs, address software stability issues, or add a new feature to improve usability or performance. Often a temporary fix, a patch is essentially a quick repair. While it’s not necessarily the best solution to address the problem, it gets the job done until product developers design a better solution for a subsequent product release.
Admittedly, patching software at a large business with multiple, complex systems takes time. Once a vulnerability is identified, the patch must be developed and tested to ensure it doesn’t cause problems before it goes live. However, many believe that Equifax should have moved faster, regardless of the difficulty of the patch — particularly for an entity with a significant amount of sensitive data and an implied brand promise that it can be trusted with that data.
We have seen some high-risk patches not applied at all for fear of breaking legacy applications; in effect, the organisation accepts the risk of not applying these patches and, as an alternative, works to mitigate it. Based on our experience, 30 days from release to deployment is typically the “gold standard” for implementing a patch.
Companies are essentially leaving themselves exposed for 30 days. Meanwhile, they may lack the capabilities to detect unauthorised activity occurring during that time.
The adage of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” doesn’t fit the realities of this era of constant attacks. For the majority of companies, cyber risk events have already taken place and continue to take place. Yet many companies lack the advanced detection and response capabilities they need. The proliferation of data privacy regulations around the globe and the sticky headline effect of significant data breaches are leading directors and executives alike to recognise the need for “cyber resiliency.”
Organisations with a well-designed vulnerability management program quickly patch known vulnerabilities for critical public-facing services. For example, we see companies setting service level agreement targets of 72 hours, with some striving for 24 hours or less to limit the damage of an attack. Simply stated, executives and boards need to inquire as to the target duration from release to deployment to shore up cybersecurity vulnerabilities and, if it’s 30 days (or more), question whether that is timely enough, especially when public-facing systems are involved and sensitive personal information is exposed. Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image cry out for careful oversight.
It is vitally important to scan public-facing systems immediately upon notification of critical vulnerabilities; “same day” should be the target. In addition, patch deployment should be tracked and verified as part of a comprehensive IT governance process. It’s not enough to merely push out a patch. A comprehensive IT governance process should confirm that the risk truly has been mitigated on a timely basis.
Directors and executives should also be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Given the increasing sophistication of perpetrators, simulations of likely attack activity should be performed periodically to ensure that defences can detect a breach and security teams can respond timely.
Questions for Boards
The board of directors may want to consider the following questions in the context of the nature of the entity’s risks inherent in its operations:
- Do directors understand the company’s vulnerability management? For example, is the board satisfied with the elapsed time:
- For patching identified system vulnerabilities?
- Between the initiation of an attack and its ultimate discovery?
- Between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact?
- Between the discovery of a significant breach and the undertaking of the required disclosures to the public, regulators and law enforcement in accordance with applicable laws and regulations?
- Does the board include cyber as a core organisational risk requiring appropriate updates in board meetings? Is the board satisfied that the company’s strategies for reducing the risk of security incidents to an acceptable level are proportionate and targeted to the most important information assets and business outcomes? Does the board receive key metrics or reporting that present the current state of the security program in an objective manner?
- Does the board focus on the adequacy of the company’s playbook outlining the actions in place to respond, recover and resume normal business operations after an incident has occurred, including responses to customers and employees to minimise reputation damage that could occur in a breach’s wake?
We know that an organisation’s preparedness to reduce an incident’s impact and proliferation after it begins is an issue (i.e., the lapsed time between the inauguration of an attack and its detection is too long). Often, it takes over 100 days until suspicious activity is discovered; about 50 percent of the time, organisations learn of breaches through a third party. Many business seem to think that outsourcing to a managed security service provider, MSSP solves the problem — as if a box has been checked. However, we see time and again that this is not the case. Often, breakdowns in processes and coordination between the company and the MSSP result in unnoticed attack activity. Not many organisations are focusing enough on this failure of detective controls to identify breach activity in a timely manner.
Once an incident is discovered, the organisation must be prepared to respond immediately. A carefully considered response plan should be in place and tested periodically to ensure responses are appropriate and response time is sufficient. The plan should ensure that all parties understand their specific roles and cover public notification of a breach and related disclosures. In notifying the public, care should be taken to avoid compounding the problem. For example, a site set up to inform the public of their rights and actions they can take to protect themselves should itself be secure and sitting on the company’s official domain to avoid looking like a phishing site and causing additional confusion.
These two fronts inform the board’s cyber risk oversight;
- how long it takes to implement a patch, as well
- how long to detect a breach
Every organisation should take a fresh look at the impact specific cyber events can have and whether management’s response plan is properly oriented and sufficiently supported. This review includes an assessment of internal processes and capabilities to determine whether proactive steps should be taken to make necessary improvements — both near term and long term. As organisations revamp their legacy infrastructure to take advantage of cloud services and newer architectures, it should become easier to remediate vulnerabilities on a timely basis. In the meantime, companies need to be vigilant in protecting their flanks by acting on known systems vulnerabilities and detecting breaches in a timely manner.