Blog / Critical Patches Need Quick Implementation
How long does your cybersecurity policy allow for installing critical patches?
Having an official policy to both monitor for and quickly apply critical patches is important and has been a standard cybersecurity recommendation for a long time. Regulations and legislation like PCI-DSS or PIPA also require a formal policy regarding important updates. But beyond simple compliance reasons, why is maintaining a patch policy so vital? Perhaps the best way to explain is to take a close look at a recent incident.
On Monday, February 19th at around 3:30pm, ConnectWise released a patch that addressed a critical vulnerability allowing an attacker to bypass authentication on the server and set up a new administrator user. For those of you who don’t know, ConnectWise is a tool for managing remote-access to other computers which makes for a very tempting target, as attackers can compromise a single machine to gain access to thousands of devices across hundreds of organizations.
To be clear, hackers going after these kinds of tools is not uncommon. Gaining authentication is often a primary goal of hackers so they regularly attack login and authentication procedures. Attackers are also aware that many organizations don’t allow updates that can interrupt work to be implemented immediately. Instead businesses usually apply such updates after hours, while also trying to minimize overtime or premium after-hours pay, both of which serve to widen the window of time attackers have to exploit a vulnerability before it gets fixed. As a result, although it may sound alarming to everyday users that patches to address authentication bypasses are released so often, there’s actually nothing particularly new or concerning about it.
What’s different this time was how quickly the patch itself was defeated. By the time Tuesday morning rolled around, the same supposedly patched vulnerability had already been reverse engineered, weaponized, and again under assault. Worse, in this case, once the hackers figured it out, the vulnerability was beyond trivial to exploit.
A novel attack coming out so quickly is rare and most of the time takes at least a couple of days as the hackers try to again reverse engineer the solution. But as this story shows, sometimes new attacks can materialize within just a few short hours. This one incident isn’t enough to revise the generally accepted advice for how fast to apply a critical patch (ASAP within 48 hours) but nevertheless should serve as a cautionary tale demonstrating that sometimes even a scant 48 hours can be too long.
If you’d like help preparing an official technology and software update policy for your business, contact a TRINUS cybersecurity professional so you can rest easier thanks to some stress-free IT.
This Shakespeare quote comes from Richard III: “Woe to that land that’s governed by a child.”
Be kind, courtesy your friendly neighbourhood cyber-man.