The window of opportunity between releasing and applying a patch
The Equifax data breach has probably caught all of your attention by now. While I don’t usually comment on major ongoing incidents, I recognize there is a worrying pattern that’s worth reflecting on. Alike the recent infamous wannacry ransomware attack, the recent data breach leverages a known vulnerability in Apache Structs. It is exploiting the window of opportunity created by the victim for delaying the application of a patch.
To be fair, it is meaningless to just blame the victim for not patching soon enough. Such statement is oversimplifying the operational complexity and does not solve the problem at all. If you have been following my blogs, you’d know recently I blogged about cyber resilience. Along the same line, Cloud Security Alliance (CSA) has released a study to improve cyber resilience. As a measurement metrics, the study suggests two new variables, Elapsed Time to Identify Failure (ETIF) and Elapsed Time to Identify Threat (ETIT). It’s an interesting perspective to quantify and differentiate the time lapse between identifying a threat and a failure. The study argues a resilient information system ought to have the lowest ETIF and ETIT possible.
In simple terms, ETIF is when we realize something bad has happened and ETIT is when we sense something bad could happen. From an IT manager perspective, I can understand the stress that she knows the systems have not been keeping up with the security updates. It is just a matter of time when a data breach would happen. Further to the stress level, it is not about her not wanting to update, but she can’t. At the same time, nobody is going to pity her when the cause of a data breach has attributed to an unpatched, vulnerable system.
At the same time, vendors encourage customers to apply security patches as soon as they are released. Nonetheless, for anyone who works in security, we know we can’t force security updates. Else, something is guarantee to break. Between vendors and IT managers, a certainly level of transparency and trust is missing. Nobody is to blame as every system landscape is different.
Instead, we try to tackle this issue from different angles within our industry. For example, the utilization of Common Vulnerability Scoring System (CVSS) helps customers to decide on the severity of a vulnerability, thus the urgency of applying the patch. The adoption of Common Vulnerabilities and Exposures (CVE) helps to raise awareness of vulnerabilities and available patches. Nonetheless, any kind of initiatives out there has its weakness and may not encourage full adoption of patches by every customer. It’s worth reflecting what can be done to minimize the window of opportunity for hackers to exploit the delay in patching.
As we continue on with the digital transformation journey, different countries start to take control via legal means- to legislate and regulate computer security. There are bills and acts being proposed to stop these data breaches and treat cybersecurity seriously. Where possible, it is worthwhile to pay attention to these legislative changes. As citizens in your respective countries, I encourage you to speak up and get involved. After all, we would never know when the next data breach would come. However, as the current practice stands, I can predict similar large-scale data breaches or ransomware lock-downs will persist. The solution ought to require a sensible collaborative model, either driven by consensus or regulations, to bring vendors and customers closer together.