By Morten Stengaard, Director, Product Management & Quality Assurance
The problem is not that there are no patches available to fix the vulnerabilities. The problem is that organizations and individuals don't know what to patch.
An audit from the Inspector General recently revealed that more than half of U.S. Department of Energy desktop systems tested by the DoE's inspector General failed to apply security patches for known vulnerabilities, although the software fixes were issued months earlier.
An article on GovInfoSecurity.com explains why government information security is not to be taken lightly:
"Examiners also identified vulnerabilities on servers supporting critical financial and non-financial applications and data. "The vulnerabilities could have resulted in a compromise of business information or unauthorized access to critical application functionality and data, as well as loss or disruptions of critical operations," the audit says."
Read the full article on GovInfoSecurity.com:
Energy Fails to Patch Vulnerable PC Apps
IG Audit Discloses Failure to Follow Established Security Policies
If I was going to be harsh, I could say there really is no excuse for not patching, since all the information you need to keep your systems patched is readily available: You can download the patches form the vendors' websites (almost always) free of charge, and you can check vulnerability databases (such as Secunia's) to find out about vulnerabilities - zero-days as well as patched.
But to be fair, it is of course not that simple. The longer version of the harsh truth is that part of the problem is the abundance of information out there: A lot of organizations don't know which applications they have in their infrastructure, and therefore - even though they have access to free vulnerability intelligence - they don't know whether this applies to their own infrastructure.
They have to manually keep track of all the vulnerability intelligence that is available, but also of all the applications they have. This is a cumbersome and very manual, resource-intensive process.
Add to that, that even if IT teams do know which applications they need to patch, they do not have the tools and resources to do so. Therefore they must go through a thorough scripting and testing phase before they can roll out the actual updates, hopefully without breaking anything in their infrastructure.
Governments have trouble complying, too!
What the story illustrates is that although you are a government institution, an upholder of rules of regulations by nature, it is not always easy to comply and to stay secure.
So it is no wonder a lot of privately held companies do not have the necessary processes in place to ensure that they get their patching done. Apart from the actual patching of the vulnerabilities that have been identified, most organizations are at a loss to identify exactly which vulnerabilities are critical to their particular systems - or even whether a specific program is present in their infrastructure.
At Secunia it is our experience that the picture painted by the numbers in the DoE audit is by no means extraordinary when compared to other sectors. In fact, because of NERC-CIP the energy sector is probably among the better protected - unlike many industries, the energy sector in general is aware that patching vulnerable applications is a priority.
Morten R. Stengaard
Director, Product Management & Quality Assurance
Some numbers from the DoE audit:
- 16 of the 38 vulnerabilities identified existed in previous years, but were not fixed.
- 1,132 PCs, or 58 percent, ran operating systems and/or client applications without patches for known vulnerabilities, although the fixes been released more than three months before the audit, and in some cases, up to six months earlier.