With security so high on the agenda, businesses are doing everything they can to safeguard their networks from cyber-criminals keen to capitalise on software exploits. But do businesses pay enough attention to software updates when there are hundreds of other issues to address? And how can businesses plan to accommodate the downtime that some updates require?
“Software is becoming more complex, it contains thousands of code lines written by different developers. That’s why almost every piece of software has some unknown bugs or vulnerabilities. These bugs are discovered by users or by hackers reverse engineering the software to find weakness they can exploit.”
These words, from Ghareeb Saad, Senior Security Researcher, Global Research and Analysis Team, Kaspersky Lab, illustrate perfectly the need to do regular software updates. That said, experts consistently worry that too many Middle Eastern organisations fail to adhere to regular update cycles, giving cyber-criminals an opportunity to exploit weaknesses in older software versions.
“When a new vulnerability is discovered or becomes known to the public, software vendors work on them and release updates or patches to fix these vulnerabilities and prevent their exploitation. That means that old software versions will contain known vulnerabilities that can be exploited by hackers and used to break the organisation’s security―that’s why using old software versions poses great risks of different kinds to organisations’ security,” explains Saad.
According to the Global Corporate IT Security Risks 2013 survey, conducted by B2B International in collaboration with Kaspersky Lab, software vulnerabilities are among the top three reasons for all internal “incidents”, Saad adds. According to the report, 32 percent of respondents in the UAE said that out-of-date software caused an incident, while 39 percent of respondents in Saudi Arabia said the same. Perhaps most worryingly, while regular patch and software update management is one of the most common measures to minimise security risks, only 62 percent in the UAE and 45 percent in Saudi Arabia regularly implement patches, the report adds.
“Many organisations in the Middle East are starting to pay more attention to updates and patches, but statistics from our Kaspersky security network (or KSN) show that most exploited vulnerabilities in the region are old patched vulnerabilities. That means a lot of organisations are not doing regular updates, and more work needs to be done to improve the awareness on the importance of applying patches and software updates,” says Saad.
Naturally, it isn’t always easy to apply patches and updates, especially when the updates require downtime. Pradeesh VS, General Manager, ESET Middle East, explains that, for some organisations, the desire to stay ‘always-on’ could actually contribute to a decision not to apply software updates, even when the security risks are high.
“It’s a factor in any context where downtime has a significant impact on core business processes and the functionality can’t be transferred temporarily to other machines. This has always been a significant factor in SCADA and ICS installations where a critical industrial process, for instance, is carried out using a hardware and software combination, where there is no hardware redundancy, or it’s considered too expensive or disruptive to close down or transfer the process for an update that’s considered non-critical and can’t be applied while the process is running. Similar considerations often apply in medical and medical research contexts, too. An additional factor in all these scenarios is the difficulty or impossibility of testing an update before applying it to ‘live’ or critical systems,” he says.
When it comes to servers, however, Nilesh Shirke, Principal Consultant, Security Technology, Tech Mahindra, believes that there are steps that organisations can take in order to minimise downtime when applying patches.
“Downtime can be avoided by limiting the code that actually runs on business-critical machines during normal operation. No production technology has yet been able to reliably patch executable code that is loaded into computer memory and running. That implies that any patch to running code will require the code to be stopped and restarted. In the case of the operating system, that means a reboot,” he says.
“It is understood that only a small number could be installed with no fear of a reboot. It’s a useful best practice to think of reboot reduction using the 10-80-10 rule. The data from Windows Server showed that patches not requiring a reboot are about 10 percent of the total. Another 10 percent of patches apply to the Windows Server kernel and thus require a reboot unless there is a workaround. The remaining 80 percent will only require reboots if the specific executable code being patched is running when the patch is applied. Paying attention to this last class of patches can help increase the time between reboots and even improve the overall security of the server.”
That said, most organisations―particularly small and mid-sized ones―tend to simply prioritise patches on a case-by-case basis, which is perhaps why so many organisations in the Middle East are running on older software versions. According to Simon Azzopardi, Vice President for EMEA and APAC, Secunia, this does excuse some businesses from paying too much attention to patches, but they should still realise that they are putting themselves at risk.
“Most private individuals and even small businesses believe it is too time-consuming and too complex to update their software and do not make it a priority. Many believe that, once they have updated their Microsoft programs when prompted by the company, they have done all that they need to. The problem is that on average, a private PC in the US has 75 programs on it―only 30 of those are from Microsoft, and 45 are from third-party vendors. But third-party software is where 86 percent of all vulnerabilities are found,” he says.
The software numbers are similar in the Middle East. Unfortunately, Azzopardi believes that not enough organisations pay attention to software updates, yet he also says that more businesses are beginning to wake up to the need to do so.
“The fact that this year has been one of the worst years in the Middle East for network breaches proves that the Middle East is still lacking when it comes to taking a proactive approach to network security. However, we are now starting to see that companies are starting to prioritise network security and patching is high on the list of priorities,” he explains.
Unfortunately, for all the talk of needing to update security patches, there is still one large problem – zero-day flaws. These are vulnerabilities that software vendors do not know about themselves, and hackers work hard to try to exploit them for as long as possible before businesses update. According to ESET’s Pradeesh VS, these are possibly the biggest threats facing businesses today.
“It’s the ones you don’t yet know about, the ones that don’t yet have remediation, and the ones for which you haven’t been able to apply remediation yet. Some, unfortunately, you won’t know about because a service supplier only gives information on the vulnerability or breach to its customers, and few organisations have the resources to subscribe to all these services,” he says.
Indeed, this would suggest that it can be nigh-on impossible to protect against attacks, and, up to a point, this is true, according to Tech Mahindra’s Shirke. He says that, because no-one can fully protect themselves from breaches, businesses should instead be taking proactive approaches to security―hoping for the best but planning for the worst could be a big mantra in the security world going forward.
“Businesses must be ready to revise their strategies based on proactive measures, and they must anticipate unpredictable attacks. This way, they are armed with the right tools and measures to minimise the damage associated with an unexpected breach without wasting any time,” he says.
“The new approach should be based on the fact that breaches are part of everyday life and it is a matter of time and the aim today is to be ready when the breach happens. So security infrastructure is shifting from point products to an enterprise-integrated approach based on key foundation elements that allow proactive alerting, real-time monitoring, analytical correlation, predictive threat management and simple management.”
When it comes to patch management, however, there are still updates to watch out for, as there’s no doubting that some exploits are more popular than others among hackers. Kaspersky’s Saad explains which vulnerabilities to pay attention to.
“The most popular and dangerous vulnerabilities are client-side software vulnerabilities: in the Middle East region on the top are those in Oracle Java, VLC Media Player and Adobe Reader. These could be used in targeted attacks to send emails with malicious attachment that would exploit vulnerable software to bypass the organisation security and gain access to their internal network,” he warns.