In the previous part of this three-part series, we explained how organisations are increasingly exposed to financial and reputational risk through unpatched vulnerabilities. The bad news is that these flaws are being found and exploited on an ever-growing scale, thanks to the work of legitimate researchers on the one hand and cybercrime groups and nation state actors on the other. Fail to manage this risk effectively and your organisation may suffer a major data breach and/or ransomware-related outage.
If nothing else, the past year has shown us that the traditional network perimeter as we knew it is now gone. Today’s organisations run a complex blend of remote working endpoints, cloud applications and servers alongside their traditional on-premises assets. This inevitably creates new security and compliance challenges, because all the operating systems and software that run on these endpoints need continual patching against new malware exploits. Fail in this, and CISOs run the risk of a potentially serious security incident that could lead to widespread disruption and financial and reputational damage.
The problem is that patching is not as easy as it sounds. This is where virtual patching can help.
Cyber-criminals are always on the lookout for weaknesses in corporate IT systems. Whether these are manifest in human credulity or technical deficiencies, hackers have become past masters at exploiting any chinks in the armour. In this context, the retirement of major software and operating system versions represents a huge opportunity for the ever-agile black hat community. IT security teams should therefore be well prepared for this week’s end-of-support deadline for Windows 7 and Server 2008/Server 2008 R2.
For those companies unable or unwilling to upgrade, however, help is at hand.
No organisation is breach-proof: we all know that the odds are stacked too high in the attackers’ favour. However, by following industry best practices we can make it as difficult as possible for hackers, and discourage all but the most determined and well resourced. That’s why it will dismay many in the industry to learn that Equifax knew about the vulnerability that it claims led to a massive breach at the firm this year, all the way back in March. However, it was apparently only fully patched months later once the damage had been done.
Given the scale of the breach, and the fact the firm could have been hit with fines of over $60m under the forthcoming GDPR regime, this should serve as yet another cautionary tale to IT leaders. Best practice security, including effective patch management, is called “best practice” for a reason. Continue reading →