One unpatched security vulnerability can give hackers unauthorized access to an organization’s network. Once inside, they can move deeper into the environment, looking for valuable information to destroy, disclose or sell.
Often times, once an organization realizes the number of unpatched security vulnerabilities within their environment, the number is so large that creating a strategy for which weaknesses to address first seems impossible. This is further complicated by the differing priorities of stakeholders. Lines of business see patching as a risk to slowing or halting operations, while security operations is driven by compliance, with little understanding of how downtime can impact business.
This was the case for a multibillion-dollar publically-traded retail trade organization. With a large technical footprint of servers, workstations and custom-developed applications, the organization discovered they had more than one million unpatched vulnerabilities.
The first step in shrinking this organization’s threat footprint was to dwindle the one million vulnerabilities to only those that were actionable. World Wide Technology (WWT) security professionals used commercial and open source scanning tools to confirm over a hundred thousand vulnerabilities, with a third of them being critical according to the industry-standard CVSS rating.
Next, we interviewed stakeholders from security, operations and applications teams. Each of these groups saw the systems they were responsible for as being the most important to operations. By understanding each group’s challenges and relating that to the other departments, we were able to determine what patching strategy would result in the biggest win. It turned out the security team was facing pressure, as they needed to show progress on patching efforts to corporate leadership to build momentum and garner support for more security resources.
We identified thousands of “quick fix” vulnerabilities that would require a potentially low level of effort to remediate. These included systems in which administrator passwords never expired or outdated software provided easy access to attackers.
Configuration changes, MS security patches and updating unused or outdated software were all quick solutions recommended as part of the organization’s patching strategy.
Windows operating systems, Java, Adobe and a number of EOL (end of life) applications were identified as the most at-risk environments, with Windows 2003 systems housing over 20,000 imminent security threats.
These OS servers were deemed critical for remediation due to the amount of access they give attackers. Once a hacker has access to a user’s operating system, they can perform reconnaissance scans, elevate privileges and begin moving deeper in to the network towards valuable information assets.
A systemic obstacle preventing regular patching on Windows platforms made these servers particularly open to hackers. Microsoft ended support for the Windows 2003 server in 2015 and as such stopped issuing security patches for viruses, spyware and other malicious programs.
As the most vulnerable servers, these Windows operating systems provided the greatest opportunity for automation and rapid patch deployment.
We suggested implementing automation tools such as Tanium and SCCM to deploy Windows systems patches. Part of the strategy provided by WWT also included adding staff to properly size Windows and InfoSec teams according to Gartner staff sizing recommendations.
The framework we provided works with the organization’s system to reduce the number of days it takes to patch and remediate critical security vulnerabilities, reducing overall risk for the business.
A tactical action plan helped prioritize vulnerabilities by criticality and level of effort, giving this organization the opportunity to use strategic sourcing and automation tools to accelerate remediation.
By combining our technical expertise with a solid understanding of how vulnerabilities impact business operations, we helped align the objectives of the organization and provided a foundation for advanced cybersecurity.