By: Tarek Naja, Solution Architect, Middle East, Qualys
Since the region’s governments initiated their economic-diversification initiatives, Middle East enterprises have been digitising at a robust pace, putting them squarely in the crosshairs of cybercriminals. But when COVID-19 struck, and businesses and governments flocked to the cloud for its promise of continuity, things got worse. In the UAE, for example, the nation’s top cybersecurity official revealed a 250% increase in attacks from 2019 to 2020. This is what bad actors do. They take advantage of circumstances, any circumstances, to pounce.
And what a circumstance the pandemic turned out to be for digital malefactors. To settle quickly into their new homes in the cloud, regional organisations had to accept new, untested ecosystems. Multiple network domains that fell outside the control of IT, coupled with a mushrooming of Shadow IT, dumped alien environments on the heads of thousands of under-resourced tech teams.
Among the many bugbears resulting from this technology sprawl was the issue of unpatched vulnerabilities. Their management is a key focus for IT and security professionals tasked with protecting their infrastructures from incursion. In the world of cloud, at a global level, much of this time is taken in ensuring that Linux-based ecosystems are tended to appropriately. The open-source OS accounts for the lion’s share of public cloud infrastructure (nine of the top 10 public clouds, according to the Linux Foundation). And considering that its kernel is the heart of Android, Linux can also be found in 82% of the world’s smartphones.
While Linux stacks up well against other operating systems for security, it has its vulnerabilities. And these need to be managed. Prompt reaction to known, fixable issues is the hallmark of sound cybersecurity, but because of its non-proprietary nature, Linux does not have a Patch Tuesday. Instead, a global community of vendors, White Hats and freelance coders discovers issues for itself and shares them freely with others.
While this open community system is worthy of much praise, it does have some drawbacks. The greatest of these is a far-flung assumption that Linux is secure. While the attack stats show it as a less frequent victim, it would be unwise to assume it is invulnerable. When vulnerabilities are found, they are shared, and the community being what it is — a global family of empirically minded devotees — proofs of concept are required. This means that not only is the vulnerability made public, but so is the playbook on how to exploit it.
And everyone knows the same information at the same time, from vendors to cybercriminal cabals. So, the criminals have an advantage. The customisability of Linux has led to many “flavors” that may need their own variant of a patch when one is issued. That means the community is in a race with attackers to develop and release several workarounds before the bad actors can duplicate the exploit.
The patch playbook
The Linux end-user, therefore, is in dire need of their own patch playbook. And three basic actions can form a good foundation. Before anything else, build a comprehensive IT asset inventory. Hardware, OS, and applications, listed together with any cloud services and their up-to-date statuses, will allow security and IT teams to visualise their environments.
Enterprises that build asset inventories should avoid “tool clutter”. Some may argue that asset discovery is only comprehensive if you use ideally designed tools to identify each kind of asset, but this can lead to precisely the complexity they were trying to avoid, through duplication of work and data across teams. Different tools may classify the same asset in different ways, leading to inaccuracy. Tool clutter is easily dispelled by adopting a single-dashboard system capable of discovery, scan, prioritisation and even remediation.
Second begins the triage of issues. Classifications of risk vary widely with industry and enterprise, but teams should be looking at factors such as the age of the vulnerability, whether a fix exists, how common the issue is and what the results of an exploit are likely to be. For example, a vulnerability that is easy to exploit but leaves no vital assets exposed to compromise is probably a low priority, as is a zero-day that involves a lot of manhours and expense (on the part of the bad actors) to leverage. Conversely, a well-known, old, dangerous vulnerability for which a patch exists is a higher priority.
Race against time
Doing this triage well also involves adoption of the right tools, because just as tool clutter can duplicate and mislabel assets, it can lead to slow triage and a laborious patching process (the third step), slowing the very process that is in competition with well-equipped, well-informed cybergangs. While the Linux community has published several tools to overcome this challenge, their need for manual intervention can often dampen their own effectiveness.
Again, a single-console solution that scans, priorities, and remediates is more efficient, and frees up beleaguered teams to concentrate on more analytical and innovative tasks. Dozens of manhours spent trying to determine the most appropriate action for each asset is saved. Add in the capabilities to patch with a single button press and automatically compile up-to-date reports on remediated vulnerabilities, and we arrive at a highly optimised solution.
The region leverages a vast range of OS platforms, applications, and clouds to innovate for the next trend or crisis. Designing a workflow that optimises the patching of Windows and Linux and everything in between, as well as internal cloud assets, is vital. Cyber incidents stop innovation in its tracks, so we need to be ready to discover, mediate and prevent digital incursions.
An asset inventory that gives a rich overview of the environment; a risk-based assessment of what to address and in what order; and a patching process that is capable of both proactive and reactive operations – these are the pillars of effective patch management. Without them, we leave open the doors, windows, and chimneys of our digital estates. It is a short hop from there to real harm.