By Michael Oldham
Most organizations don’t have the time or resources to keep up with the security patches for all the products they have within their infrastructure. All it takes is one missed patch on a single product for hackers to exploit that vulnerability and gain carte blanche to your entire infrastructure.
Ransomware, malware, exfiltration of data, compromised intellectual property and more are all possible consequences of poor patching hygiene. And those consequences can prove to be VERY expensive for your organization in several ways:
- Direct costs – Resolving a breach can reach into the millions or even tens of millions.
- Indirect costs – It gets even more pricey if you hire outside agencies to determine the cause and consult on how to fix the vulnerability.
- Damage to brand reputation – How will your customers and business partners feel if their proprietary information is compromised? They may not want to do business with you.
This isn’t new. There are plenty of real-world examples to choose from over the past decade – for instance, the vulnerabilities in some of the most well-known and broadly used VPNs have received a lot of attention recently.
But this doesn’t have to continue, either. We’ll discuss how Total Access Control (TAC), the Zero Trust Access solution from PortSys, solves the pricey patch puzzle to minimize your risk and maximize your investment. But first, let’s look at the impact of poor patching.
Has Patch Fatigue Set In?
Sure, vendors are (usually) pretty responsive to releasing a fix once a problem is identified. But there is always a lag – from when vendors discover an issue (or issues), identify the vulnerability, and deploy a patch. That doesn’t even take into account whether customers bother to apply the patch.
Maybe a VPN vulnerability has been out in the wild for an unknown time before it is eventually discovered. The VPN vendor responds in a timely manner, works hard to identify the issue, and sends out a patch. A process like this could take a month if the vendor is very good and has adequate patch remediation processes in place to get the fix out quickly. Or it could take a year or more if the vendor isn’t made aware of the vulnerability in a timely fashion.
But here’s the rub: now it’s up to you to patch your VPN system before the hacker finds out that gap is still wide open into your infrastructure.
Even if you patch, you can still be vulnerable. Here’s how. Hackers can use the organization’s own credentials – stolen through a phishing or brute force attack, for instance – to gain access through a VPN directly to the local network or resources in the cloud. From there, they can quickly move laterally across the enterprise to exploit even more vulnerabilities to launch a ransomware attack that locks down the organization’s infrastructure.
The sad reality is that patch fatigue can set in over time. Take the multitude of patches that come in for all the solutions deployed across your global enterprise. Factor in your overwhelmed, understaffed and underfunded IT team doing yeoman’s work just to keep the IT lights on. One mistake and the hackers win.
You end up with a recipe for ransomware, malware or several other forms of advanced persistent attacks.
Something has to give when patches aren’t applied in a timely fashion. That something is your security.
And eventually your bottom line.
Time Is Money in a Hacker’s World
In a hacker’s world – and that’s where we all live now – time is money. Odds are you’re losing the battle.
When hackers learn of a vulnerability, they deploy bots to scan the internet looking for organizations using the compromised solution. While we were previously talking about weeks or months or even years for a patch to arrive, it takes hackers mere minutes to search and discover a list of every institution worldwide who may have this particular vulnerability. From there, they can plan and launch their attacks – again, in minutes or hours.
Think of all the remote access solutions you have deployed across your infrastructure. VPNs, RDP, Virtual Desktop Infrastructure (VDI), firewalls, mobile device management (MDM) and so on – across every business unit, across your entire organization, and in offices around the world.
If a vulnerability exists in any solutions that require the internet for access, chances are pretty good – actually great (or not so great, unfortunately for you) – that hackers are already targeting and possibly penetrating your infrastructure. A smart hacker will be selective in picking targets, and likely will do reconnaissance to determine how best to exploit the situation. But remember, time is on their side.
Time is not on your side.
Once hackers are inside your network, they have a degree of control and can do a lot of bad things. They can deploy malware and ransomware. They can steal data. They can use your network and devices to launch Denial of Service (DoS) attacks on other institutions.
Even more aggravating, they can use your infrastructure as their own to set up illegal websites and more. They could also lie in wait, scanning content streaming across your network, gathering information about your users and most valuable resources, and using your own information to attack you.
Paying the Piper…Unknowingly
The possibilities for hackers to be successful are endless. Here’s just one example of an organization that was penetrated and didn’t find out about it until it was too late:
After using some of the techniques described above to penetrate this organization, hackers patiently monitored all emails being sent between employees in the organization. This information was used to ascertain the behavior of senior executives when it came to financial transactions. One thing the hackers noticed was that as a mobile organization, email was regularly used to conduct business transactions.
Sound familiar? Not an unusual situation, especially these days.
The hackers made their move. They sent an email to the CFO that looked like it came from the CEO. They had observed the CEO’s email behavior over time, so they could effectively capture the tone and tenor of a typical business email the CEO would send.
The hackers, posing as the CEO, asked the CFO to wire money to a particular account. The CFO followed the instructions – after all, the email was from the CEO, and everything looked legit.
But it wasn’t. It was from the hackers, and it wasn’t discovered until days later. The money, by then, was long gone.
This is just one real-world scenario, but the possibilities are endless. And the threats are real.
Can’t Attack What They Can’t See
Total Access Control (TAC) takes a different approach. First, TAC’s consolidates the multiple ways you provide for end users to access business applications and information into a centralized access control solution.
TAC’s reverse proxy technology not only authenticates all users but analyzes their context of access as well. It also provides robust and granular security policies for each resource being protected (local and cloud) and manages all session and network interactions behind the TAC Gateway.
All traffic is fully encrypted, whether over the internet or on any internal networks. TAC also allows organizations to close many external-facing ports typically used for remote access.
Furthermore, because TAC’s Zero Trust approach only allows access to particular resources users qualify for under their current situation – and not access to the network itself – the organization creates microsegmentation of its resources.
All this makes the organization significantly more secure. Hackers no longer penetrate your valuable resources by attacking with your own credentials – credentials they all too easily acquire on the Dark Web or through phishing, spearphishing, whaling or brute force attacks.
Hackers can’t attack what they can’t see, and they can’t see or even touch your solutions – patched or unpatched – behind TAC’s Gateway. In order to gain access to your resources, local or cloud, TAC’s multi-dimensional context of access relies on a Zero Trust approach to enable organizations to:
- Validate user credentials
- Use multifactor authentication
- Evaluate user’s type of device and security status of that device
- Verify GeoIP location of access
- Determine whether the user has a corporate controlled device or something else
- Confirm patch levels are up to date
- Validate certificates
- And much more
TAC then compares the access requests to your own security policies for each individual resource and provides access to only those resources for which end users have proper permissions.
Make no mistake: Patching is still important. But with TAC, you get extra protection so that, even if your resource applications aren’t properly patched, hackers can’t see that, and they can’t get access to take advantage of that fact. TAC protects you so you won’t pay the price for patch fatigue.