SECURITY UPDATES
Updates again… Those annoying updates, too often labeled “restrictive”. However, these updates exist for our own security. And although it is often difficult to make reasonable security decisions when they are detrimental to production, updating systems, applications and equipment is something that should not be postponed until tomorrow. On the contrary, it should be a central aspect of any company’s security policy. However, to avoid problems or side effects that could negatively impact the business, update procedures must be adapted to the criticality of the systems and, where appropriate, updates must be planned and prepared in advance.
Why update? Are updates absolutely vital?
Can’t you delay a little? These questions are asked all too often in many companies, for whom digital hygiene, IT/OT protection and security best practices do not always apply in keeping systems up to date. And they are not always a priority either. For many companies, business continuity and production capabilities remain their number one priority, with the issue of vulnerabilities often taking a backseat.
It is just as true that we cannot paralyze a company’s production, as it is also true that cyber attacks are not going to stop. As long as there are vulnerabilities, there will be attacks. And updates are a must to fix these vulnerabilities and defend against these attacks! Although its efficiency and importance are well demonstrated, the path to good practices is difficult and winding. Within companies, a combination of urgent priorities and ambivalence means that operational requirements often come before the fight against cyber risks.
Unattended updates and vulnerable systems. The crude reality
Bugs and vulnerabilities are well documented and published by cybersecurity stakeholders, and can range from minor bugs to critical vulnerabilities. And if this information is available to companies, it means that attackers also have access to it… Systems that have not been updated are, therefore, especially vulnerable to cyberattacks. Attackers use equipment identification techniques or “footprinting”, that is, scans of networks and environments that allow them to identify machines, to easily and quickly find vulnerable equipment and workstations, in this case those that do not have been updated. Attackers take advantage of systems that contain known and therefore easily exploitable vulnerabilities.
The Wannacry ransomware program perfectly illustrates how vulnerable out-of-date workstations can be. In May 2017, this ransomware was able to spread thanks to a vulnerability in Windows environments, in systems that had not corrected the security flaw. However, two months before the attack, Microsoft had released a security patch for this vulnerability and publicly warned of its major impact. The final balance: 150 countries were paralyzed by the Wannacry cyberattack and the financial losses are today estimated in billions of dollars.
Although this occurred more than five years ago, Wannacry offers a snapshot of the reality we still experience today: many companies have not yet identified the importance of making updates and doing so as soon as possible to reduce the window of opportunity for attackers. In May 2019, Microsoft again published details of a security flaw in one of its system components. Dubbed “BlueKeep,” this bug could have had the same impact as Wannacry if it had been exploited on a large scale. Although researchers cannot confirm that BlueKeep was exploited on a large scale, the risk was certainly real. Because a month after the disclosure of the bug and the publication of the patch by Microsoft, almost a million systems were still exposed and vulnerable. All of them possible entry points for the cybercrime ecosystem…
Lack of regular update procedures
Some companies do not perform updates because they do not have the procedures in place to provide a framework to ensure that they are done correctly (such as a lack of test environments, for example) and therefore the updates accumulate and, with them, the risks. A regular check will mean that only a few updates will need to be made at a time. On the contrary, if we let time pass, tasks accumulate and the risk continues to increase.”
The ghost of Wannacry seems to always be lurking: in 2020, another major bug related to the Windows operating system was detected, called SMBGhost. Another vulnerability in the same protocol that Wannacry uses, and whose exploitation could have been equally catastrophic. Attacks directed at outdated systems continue to increase and the only certainty is that they will not stop in the future. And on the contrary, updates are increasingly easier to perform and are usually well documented. Therefore, having established updating procedures should be considered a priority for all companies, regardless of business sector, and should become an ingrained part of any organization’s culture.
Reconciling cybersecurity and operational requirements: between the Holy Grail and the eternal paradox
Software and equipment updates are and will always be the subject of competing pressures, since it has the double objective of guaranteeing security while respecting the operational limitations inherent to any activity.
Because while updates exist to fix bugs and patch critical vulnerabilities, they can also create problems for businesses. In industry and operational networks (OT), upgrades are particularly unpopular because they can lead to undesirable effects, such as a prolonged stoppage of production. Even once completed, it could reboot the system at a critical time so it requires careful attention in the industrial world. Through the rebound effect, unforeseen impacts can cause a drop in production, which would have an adverse effect on turnover. “Evaluating the need for an update through a risk analysis and planning it by measuring the impact on production are, therefore, essential aspects to take into account in the industry. For this reason, maintenance stops must be carefully prepared and scheduled in the industrial world.”
But the limitations are not only found in TO. In more general terms, updates can impact any company, affecting, for example, the corporate website that is no longer available, or resulting in a loss of time for users who are forced to restart their work equipment. Likewise, they can affect software or applications currently in development, much to the chagrin of developers! – or affect already implemented applications that will no longer work correctly. Whether for the head of an industrial plant, a web developer or a simple mortal working in the office or remotely, updates are not particularly welcome and their implementation can be a source of concern and problems. Correctly approaching an update is a question as complex as it is paradoxical.
The question of the impact of updates and how to minimize it
So should we or shouldn’t we update? That is the big question! And not least due to the implications and problems derived from both alternatives… Depending on the operational limitations and work environments (production environments, applications used, etc.), updates can be very complex or even impossible. “Conscientious work is required before applying an update to determine if it could affect the system or work environment. For sensitive environments and critical systems, it is essential to provide a pre-production environment to test the updates beforehand and identify when they may cause the system to malfunction or change the way it works.” In most cases, the deployment of a highly available architecture (or even replicas or “digital twins”” or other forms of virtualization) is required for reliable testing.
Different update procedures depending on the criticality of the environment
We have seen that it is just as important not to ignore updates as it is to approach them with proper planning and preparation, and on a regular basis to prevent work and risk from accumulating. But how to do it? What procedures would be the most advisable? To answer this question we must consider the criticality of the environment. In non-critical environments, there are undoubted advantages to be gained by activating automatic updates (PCs, laptops, etc.), although it is also important to be able to verify reliability to limit risks. A common practice is to use a small group of test users for this purpose. In IT, automatic updates can be enabled for workstations or office software, although it is advisable to allow some flexibility to postpone the update to the most convenient time.
On the other hand, for critical servers or processes, whether we are in IT or OT environments, it is not advisable to perform automatic updates, since the consequences must be meticulously analyzed and updates planned in advance.
In fact, in some cases, the previous analysis may tell us that it is impossible to perform updates as such, such as when an update results in an application becoming incompatible, or due to an outdated operating system that no longer has updates or in “the case of systems at the end of their operational life, for which the update and migration to the new system becomes excessively expensive.” In these cases, it is important to be fully aware of the risk assumed and look for alternative forms of risk mitigation (“virtual” patching tools, other complementary security measures such as isolating or segmenting end-of-life equipment, etc.)
In any case, update procedures (update frequency, decision whether or not to activate automatic updates, etc.) are the responsibility of the company and should not be delegated to the free will of users or administrators.
Develop an “updating culture”
Although companies are increasingly aware of the need for updates, they are not always able to evaluate and understand the risks of not implementing them. Not all companies understand the extent to which they can be the target of a cyber attack. This frequently occurs in the case of OT, in which the “cybersecurity” culture is not always fully developed as these are systems that have traditionally been isolated in the past and therefore without exposure to risk. It is also common to ignore that the source of the attack may come from an apparently trusted environment, such as a supplier or through the supply chain or the company’s own IT network.
The first stone to implementing a cybersecurity culture is to assume that “it is not a question of if you are going to be attacked, but when.” And to anticipate that moment, updates must be an essential part of operating procedures. It also involves investing efforts to stay up to date on the latest trends, attack techniques, and cybersecurity techniques and tools.
“Learning from experience” is a practice that provides many benefits. Specific cases of real problems are studied, lessons learned are obtained and it is understood that risks are not just theory and that probability is real. Exercises to simulate atacks using vulnerabilities in unpatched systems also make it possible to raise awareness among users and administrators of their importance in
The role of equipment and application manufacturers and other bodies
In addition to contributing to awareness, equipment and application manufacturers must facilitate and simplify update processes, providing support during the process, and publishing information in a clear and transparent manner, including criticality assessment. And distrust those who don’t.
Additional, more coercive measures have been implemented in some countries. We had an example in the Zerologon threat, a security flaw that affected Windows servers allowing an attacker to take control of vulnerable machines and, in particular, domain controllers and whose severity obtained the maximum score of 10 out of 10 in the “Common Vulnerability Scoring System” or CVSS (an open standard documented by the FIRST – Forum of Incident Response and Security Teams). In this context, the United States Cybersecurity and Infrastructure Security Agency (CISA) required all government agencies in the country, given the criticality, to apply the patch to correct this vulnerability before a specific date or deadline (see link). .
CERTs, or Security Incident Response Centers, help prevent a situation of this type from occurring by providing warnings and clear information about critical vulnerabilities. In the case of Spain, the CCN–CERT, a member of FIRST, promotes the exchange of technical information on cyber threats and has a Notices and Alerts section on its website. Like the notices from the National Cybersecurity Institute, INCIBE, they should be mandatory to review as part of the security update procedures, especially critical update notices
Conclusions and actions to take
Although we cannot ignore updates, we must avoid causing an undesirable impact on systems and the business. To do this, we must approach them with due planning and preparation, and on a regular basis to prevent work and risks from accumulating. Update procedures must be adapted to criticality: in non-critical environments, automatic updates can be activated but in other cases it is necessary to analyze the impact beforehand and meticulously, using simulation or replication environments (digital twin) to avoid interrupting or impact critical systems and processes. When the impact justifies it, applying an update could be ruled out, but always assuming the risks and trying to implement alternative risk mitigation actions. In any case, the procedures are the responsibility of the company and should not be delegated to the discretion of users or administrators.
Security updates are an essential part of the security culture that must be reflected in concrete actions to learn from one’s own and others’ experiences, as well as from recommendations regarding updates from manufacturers and other national and international organizations.
Author:
Antonio Martínez Algora
Senior Cybersecurity Engineer- Stormshield The European Cybersecurity Choice