E R T N
P
X
E INIO
OP
banking trojans, cryptojacking,
cyberespionage and IP theft.
The amazing thing for many working in
the industry is that organisations still
come unstuck with patches, despite
the devastating global impact of the
2017 WannaCry ransomware worm.
Capitalising on unpatched Windows
SMB systems, this state-sponsored
threat spread quickly around the world,
locking machines as it went. Most
notably, it affected more than a third of
NHS trusts, leading to the cancellation
of an estimated 19,000 appointments
and operations.
Vulnerabilities are a
natural consequence
of human error.
Mistakes will always
happen, especially in
highly complex, man-
made systems like
computer programs.
Beyond the tipping point
This should have represented a tipping
point in how firms prioritise effective
patching. Yet challenges still exist which
are proving a stubborn obstacle for
adoption of a more strategic approach to
patch management.
The first revolves around the sheer
number of vulnerabilities being disclosed
today. Last year alone, somewhere in
the region of 22,000 were publicised,
thanks to the work of numerous vendor
and third-party bug bounty programmes,
independent research and the relentless
activity of the black hat community.
Many organisations have no
standardised way to apply these patches
as they affect products across a range
of environments from virtual and cloud-
based systems to networking equipment,
web applications, processors, Internet of
Things (IoT) endpoints, mobile devices
and operational technology (OT).
In fact, the number of flaws found in
SCADA equipment is said to have
doubled from 2017 figures. What’s more,
the number of potentially vulnerable
enterprise endpoints is increasing all the
time, as Digital Transformation efforts
take hold to drive business growth
on the back of cloud, mobile and IoT
systems. Shadow IT risks are high as
staff open new cloud accounts or buy
42
unvetted IoT kit and hook it up to the
corporate Wi-Fi.
Some organisations may even be
running legacy operating systems for
which no new patches are available,
because of compatibility issues
with mission critical apps or long
replacement cycles for OT hardware. All
of this must be managed by a dwindling
pool of IT security staff. EMEA shortages
of skilled professionals have now
reached 142,000 positions.
The next WannaCry
The bad news is that, while the
WannaCry threat has largely been
contained, something much worse
could be around the corner. BlueKeep
(CVE-2019-0708) is another wormable
vulnerability that could spell trouble for
global firms.
Capable of spreading without user
interaction, this remote code execution
flaw affects Windows XP to Windows
7 and Server 2003 to Server 2008 R2
machines, exposing them to the risk of
total remote control by an attacker. It’s
still not clear what kind of campaign
may be built on this vulnerability, but
you can bet something is in the works
as hackers are already scanning for
vulnerable systems and researchers
have developed working exploits.
Breaches,
ransomware-related
outages and the
like come with a
range of direct and
indirect costs.
The business impact of this, and other
vulnerability exploit-based cyberattacks,
should be front-of-mind for any CISO
looking to secure more funding from the
board. Breaches, ransomware-related
outages and the like come with a range
of direct and indirect costs. BA was fined
Issue 17
|
www.intelligentciso.com