Every day, dozens of new holes, or vulnerabilities, are found in software programs and hardware devices around the world. Many of these holes may only be bugs that don’t cause harm, but some create serious security issues. In July 2020, Microsoft released a patch for a 17-year-old hole in its DNS server software. The vulnerability allowed for an attacker to remotely take over a server running the software. Vulnerabilities like this are common in both software programs and hardware devices. This is why patch management is such a critical part of any practice or small business’s cybersecurity. Read on to learn everything you ever wanted to know, or maybe didn’t want to know, about the importance of keeping computers up to date.
What exactly is a hole in software or hardware?
A hole is simply a mistake made in the code of the software program. These programs may be an operating system like Windows 10 or it may be the software that runs your home router. Earlier in 2020, 75 different models of routers made by Netgear were found to contain serious vulnerabilities. Netgear released updates for a portion of those leaving 45 different models unpatched. However, most users never update their home routers and because of this, they are left vulnerable.
Microsoft releases updates monthly to patch holes that it, or others, have discovered in their products. For 3 consecutive months on 2020, May, June, and July, these monthly updates patched more than 100 security holes each month. While not each of these security homes qualifies as critical, there were several in each update that was.
Each manufacturer will release updates for its products for a specified period of time. During this time, the updates may come often or in batches that combine many updates. A new version of the software product may also fix many holes from the previous version. This is true of Apple’s IOS and Google’s Android software. Each new release fixes dozens, or even hundreds, of security holes found in older versions.
How serious can holes in computer software or hardware be?
The following 3 examples show just how serious software holes can be. Vulnerabilities like these have led to widespread attacks and caused billions of dollars in damage.
By now, everyone should have heard of the Equifax hack in 2018. What you may not know is why it happened. Equifax used a software program called Apache Struts in some of their web applications. The Apache foundation that manages the Struts software found a serious bug in it that allowed remote attackers to compromise apps using Struts. They released a patch for it in early 2018. However, Equifax failed to patch their servers running the vulnerable version of Struts, and hackers working for the Chinese government found them. The hackers used the vulnerability to get inside the Equifax network and, over time, steal the credit information of over 140 million Americans. The disturbing part was that Equifax was aware of the vulnerability but didn’t patch it and this allowed the data theft to occur.
WannaCry was the first ransomware worm to use a vulnerability in Microsoft Windows known as EternalBlue. EternalBlue was a vulnerability that the US National Security Agency discovered in many different versions of Windows. The NSA had developed tools to exploit it to use against foreign governments. However, the tools were eventually stolen by what are believed to be hackers working for the Russian government. These hackers released the tools online for the world to see, and for some, to use. The NSA alerted Microsoft who quickly released a patch for the critical vulnerability. Alerts were sent out for everyone using the impacted products to update immediately.
Shortly after, hackers working for the North Korean government used EternalBlue to create the WannaCry ransomware. The ransomware quickly spread throughout the world and was estimated to have infected over 200,000 computers in 150 countries. The spread was only stopped due to a mistake the North Koreans had made. WannaCry used a website as its central server but the North Koreans had forgotten to register the domain. A security researcher in the United Kingdom saw the issue and registered the domain. From there, he was able to shut down the worm.
AT&T modems and routers
In 2017, security researchers discovered several critical security vulnerabilities in many models of AT&T Uverse modems and routers. Many were coding mistakes but some were hardcoded user accounts by the manufacturer. This meant that if an attacker we able to get the information for those accounts, they could remotely log into the device and take it over. Patches were issued but most users didn’t apply the patches. This means that there are upwards of 200,000 devices in use that is vulnerable to being compromised remotely by attackers. The attacker would have complete access to the device and be able to inject malware into the network.
How does patch management play into all of this?
Patch management is the process of installing updates from software and hardware manufacturers to plug these holes that are discovered. Microsoft releases monthly updates for its products. Many software vendors release periodic updates for their products as well.
Hardware vendors will release firmware updates that will update the core operating system of the device. These updates may not come out frequently and many vendors simply don’t provide updates at all. In addition, these updates can be challenging to users and that intimidation keeps some users from updating their devices. This is especially true with devices categorized as the Internet of Things (IoT) like cameras, home automation, and similar devices. It isn’t cost-effective for the manufacturer to release a patch so they just don’t.
Regardless, keeping software up to date and secure is critical to your medical practice or small business. Not doing so opens massive security holes that could be used to completely take over your network.
Patch management is required under compliance frameworks
Compliance frameworks, such as HIPAA or PCI-DSS, require all software to be kept up to date to protect patient or customer data. Not doing this would cause your practice or business to not be compliant. In the case of HIPAA, this could result in serious fines. For PCI-DSS, fines can be levied by the credit card processor.
Keeping your computers and devices may be tedious but the time you spend doing it could save you a lot of money later. Take the time to make sure all of your computers and devices are current and up to date. Not just your own sake, but for others since your compromised computer could be used to attack others or spread ransomware.