Ambivalent about Patching? Here’s All the Evidence in One Place
Sometimes getting 101’s right comes down to how seriously you take the issue – whether it’s given the right level of priority. Take health 101’s: we know we shouldn’t eat too much fast food and that we should exercise, but without the evidence staring us in the face, we sometimes fail to get it right.
It can also be a balance of priorities. When patching for security, where do you decide to put the emphasis? On availability – or on security?
Patching against cybersecurity vulnerabilities is one of those cybersecurity 101 things that just doesn’t always happen consistently. You know you should do it, we know you should do it… but known vulnerabilities nonetheless stay unpatched.
At TuxCare, we know how important patching is – and we impress it on you constantly, but the patching argument becomes even stronger once you look at the evidence. In this article, we give you all of the evidence in one place.
A Story of Numbers
Statistics can speak loudly and sometimes contrast the gut feelings we have about something – statistics can draw a picture that’s significantly worse than we instinctively expected.
Take a recent report by Ponemon for ServiceNow, called Today’s State of Vulnerability Response. Across the period covered by the study, 48% of companies have experienced a data breach, and that’s not good news no matter how you look at it.
But here’s the truly surprising part. The report states that: “Fully 57% of respondents who reported a breach said that they were breached due to a vulnerability for which a patch was available but not applied. 34% say they knew they were vulnerable before the breach occurred.”
Think about that for a minute.
A report from a known reputable vendor says that half of the companies surveyed recently got hacked, and out of that group the majority got hacked because of poor patching hygiene.
It tells the complete story of “patching matters”, in a single report.
The Body of Numbers
There’s more than one worrying report, of course. In fact, there’s a whole body of statistics that supports the need for consistent patching, with many pointing to the consequences of failing to do so.
For example, in a study from Positive Technologies, researchers uncovered the alarming statistic that 84 percent of companies have high-risk vulnerabilities on their external networks. Again, in a pointer to poor patching hygiene, the report found that more than half of these vulnerabilities could be removed by simply installing updates.
Notice the theme of unpatched vulnerabilities? In the same report by Positive Technologies, the organization found that 26 percent of companies remain vulnerable to WannaCry ransomware, as they have not yet patched the vulnerability it exploits.
There’s another important aspect to consider here. Vulnerabilities are everywhere – in the most literal sense of the word. Veracode’s State of Software Security Report released in October 2020 found that more than three-quarters (75.2 percent) of applications have security flaws. Of these, 24 percent are considered to have high-severity flaws.
What does that add up to in terms of the total number of vulnerabilities? Not all vulnerabilities are cataloged, but according to CVE Details in March 2023, there were roughly 198,020 cataloged vulnerabilities – of which more than 19,974 have a CVSS score of 9.0–10.0, indicating that they are highly critical.
And still… according to Automox, “A majority of CIOs and CISOs say that they delay putting security patches through to avoid interrupting business growth, while 25 percent say that they are certain their organization is not compliant with data security legislation.”
How are threat actors responding? By taking advantage of new vulnerabilities even faster than they used to.
Incidents Linked to Poor Patching
The statistics paint a worrying picture. But it’s just numbers… perhaps the reality isn’t that bad? Is there evidence that the statistics bear out in practice? Do we see cybersecurity incidents attributable to unpatched vulnerabilities? Let’s take a look.
In 2017, Equifax, one of the largest credit reporting agencies in the world, suffered one of the biggest-ever data breaches that exposed the personal information of hundreds of millions of people. The first step in a complex breach was enabled by an unpatched vulnerability in the Apache Struts framework.
Worse, the company was repeatedly warned about vulnerabilities in its technology infrastructure, including the Apache Struts vulnerability, and indeed an endless list of other IT malpractices. Equifax simply didn’t patch those vulnerabilities.
Equifax is not the only large company that suffered a massive breach due to lack of patching hygiene. The same thing happened to Starwood hotels, now part of Marriott. In 2014 the company suffered an attack that exposed 384 million customer records, all due to an unpatched vulnerability. It’s widely known as one of the worst-ever cybersecurity attacks.
Also in 2017, we saw WannaCry, which affected over 200,000 computers in 150 countries. The attack was able to spread quickly even though it exploited a vulnerability for which a patch was available several months prior. What enabled WannaCry? It’s simple: so many organizations failed to apply a patch for the EternalBlue vulnerability that threat actors exploiting WannaCry had free reign.
The list goes on and on. For example, the Red Cross revealed in 2022 that the personal information of half a million vulnerable people was exposed in a hack which was due to a vulnerability that the organization didn’t patch in time.
And it’s a risk that affects companies large and small. For example, the UK’s ICO fined a small law firm a significant sum after it found that the firm was breached due to an unpatched vulnerability.
Successful attacks due to unpatched vulnerabilities can also come at the worst of times, as New York state’s systems were hacked due to a known but unpatched Citrix vulnerability – just before the COVID outbreak.
Patching: Recommended and Required
Statistics around unpatched vulnerabilities were like a bad omen, it pointed in the direction that unpatched vulnerabilities are going to lead to costly hacks. And it happened – organizations large and small got hacked, and those were only the incidents that were disclosed to the press (or were newsworthy enough to make the press).
It’s without a doubt a big problem and there’s no surprise that regulatory bodies felt that something needed to be done. This is why you will find patching mentioned in cybersecurity laws and frameworks around the globe.
For example, in a big bang event for the cybersecurity of medical devices, at the end of 2022 the US President signed into law clear-cut patching requirements for medical devices. Legislators used the 2022 omnibus bill (page 3,537, line 18) to amend Chapter V of the Federal Food, Drug, and Cosmetic Act to, amongst other requirements, add an “as soon as possible” requirement to patching critical vulnerabilities.
Another critical standard where a lack of patching can get an organization in big trouble is the Payment Card Industry Data Security Standard (PCI DSS). Companies that accept card payments must maintain secure systems and networks, with specific requirements for security patches for all software used within the payment card environment. Fail to patch and face the consequences.
The NIST (National Institute of Standards and Technology) publishes a guideline on patch management (NIST 800-40), which provides detailed specifications on everything from routine to emergency patching.
Remediating vulnerabilities (including through patching) is a core part of many other frameworks. For example, CISA includes it as a core part of FISMA metrics, while SOC 2 certification and standards such as ISO 27001 also hinge on patching. And indeed, so do the recommendations in the CIS controls.
Even the regulatory body for financial services in Luxembourg stepped in with a specific requirement as in May 2017, the CSSF Circular 17/655 was released, intensifying regulatory pressure on banks and investment firms to enhance their controls concerning patch management.
What Do You Think? Does Patching Matter?
The statistics bear out what everyone in IT security already knows – patching really matters. The examples of incidents we provided complete the picture. And, as we explained, patching requirements are increasingly getting written into law.
We hope that this body of evidence provides a clear perspective on the importance of patching – particularly where organizations feel that patching is important, but not quite that important.