Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.
As long as software is developed by humans, there is always the possibility there will be flaws in the code—and who can say if AI will do any better in writing flawless code? Those flaws can make the software vulnerable to a cyberattack.
The best way to address this issue is to patch the vulnerability with an updated version of the software as soon as it’s issued. But sometimes that just isn’t possible. What can you do if you can’t patch a vulnerability?
The State Of Software Vulnerabilities
Software vulnerabilities are quite common. The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD) and assigns a unique identifier to each vulnerability. Known as Common Vulnerabilities and Exposures (CVEs) data, the reported vulnerabilities are tracked by Mitre Corporation. More than 25,000 CVEs were reported in 2022—an increase of 25% over the previous year, and the sixth year in a row for a rise in CVEs.
It’s not just the number of CVEs that’s a concern, but also the severity of the vulnerabilities. According to analysis by Skybox Security, some 80% of 2022’s CVEs were of high or medium severity, and 16% were considered critical. The severity level indicates several factors, including how easy it is to exploit the vulnerability and the amount of damage exploitation has the potential to cause.
CVEs are a significant factor in data breaches and security events. The 2023 Verizon Data Breach Incident Report lists exploitation of vulnerabilities as one of the top three ways in which attackers access an organization’s computer systems.
In 2021, the world saw the emergence of what Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called the most serious vulnerability she has seen in her career. The Log4Shell vulnerability appeared in a ubiquitous piece of open source software known as Log4j. Within weeks of its discovery, there were millions of attempts to exploit the vulnerability and many resulted in successful attacks.
Even though there is a patch for this particular issue, security experts believe many instances will remain unpatched and attackers will be exploiting the vulnerability for years to come.
Patches Aren’t Always Possible—Or Practical
Security best practices recommend that vulnerabilities—especially those with a high severity level—should be patched as soon as possible. A patch is a software update put out by the original creator of the software. There are times, however, when a patch is simply not available or one exists but can’t be quickly implemented.
For example, the vulnerable software might be from a legacy system that is no longer supported by the original vendor, making it challenging to get a patch. Or it’s possible to obtain a patch but it causes conflicts or incompatibilities with other systems in your environment. Some organizations require extensive testing before fully deploying a patch, leaving the risk of vulnerability in place during the lengthy testing process.
Some vulnerabilities are not in a place where they can be exploited easily, such as in a system that has no connection to the public internet. They still should be patched but there may be less concern that the patch be applied immediately.
When the vulnerability happens to be in software used by operational technology, such as in a manufacturing or industrial facility, applying a patch might require a production shutdown. This obviously affects critical business operations. Organizations might delay patching to avoid disruptions during peak operational periods or to align patching with scheduled maintenance cycles.
Mitigation Measures To Take If Patching Isn’t Possible
Assuming a patch can’t be promptly applied, what can be done to mitigate risk? There are several important measures to keep in mind:
• Research the situation. If there’s no patch currently available, contact the software vendor to see what specific workarounds it would recommend. In addition, reach out to the broader security community through open forums or industry associations to see what others are doing as mitigation for the issue. Security experts may be able to suggest configurations to help reduce risk while you wait for a patch to be released.
• Implement compensating controls around the system with the vulnerability. Examples of controls would be restricting access to the system, strengthening access controls, such as with two factor authentication or intrusion detection and prevention systems (IDPS), to closely monitor and respond to unauthorized access.
• Review and strengthen the security configuration of the affected system. Remove default or unused accounts or passwords, disable unnecessary services and apply best practices for securing the system to minimize the impact of the vulnerability.
• Use network segmentation practices to isolate the vulnerable system from the rest of the network. This can help to contain any potential attacks and to minimize damage by preventing a successful attacker from moving laterally across the network.
• Implement robust logging and monitoring solutions around the vulnerable system to help detect unusual or suspicious activity. A solution like a next-gen security information and event management (SIEM) system can raise alerts in real-time if risky activity is detected, allowing time to stop an attack in process.
In the case of operation technology (OT), it might be possible to isolate the system from anything that is public-facing. Many OT devices communicate directly with human-machine interface (HMI) workstations that run on old versions of Microsoft Windows. Be sure to have compensating controls and monitoring around the HMI devices.
Vulnerabilities are discovered every day and the way to determine if there are any in your environment is to continuously scan and assess your systems for vulnerabilities. Then prioritize which systems must be remediated first and follow through to ensure that appropriate mitigation strategies are in place.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here