The Equifax Data Fiasco all started with a single unpatched server. Other mistakes were made but that’s where, from a technical point of view, it all began.
Here’s the interesting part: Equifax as a company knew about the patch but didn’t communicate the information to the right people to patch the particular server initially compromised by attackers. They sent out an email to system administrators about the vulnerability in Apache Struts but according to the Government Account Office (GAO) report, “the recipient list for the notice was out of date and, as a result, the notice was not received by the individuals who would have been responsible for installing the necessary patch”.
OK, do you notice what I notice here in their patch management processes? Where’s the positive confirmation? Where’s the follow-up and accountability? How does the loop get closed? Who knows if the patch would have been installed even if the recipient list were up-to-date? A million other things could go wrong:
- The system admin could be on extended leave
- The system admin could accidentally delete the email
- The system admin could forget to follow up on the email
- Ad nauseum
Equifax might contend by saying, that’s the purpose of a weekly scan we run, but in this case the scan failed to report the unpatched server. Given what I’ve read about Equifax’s IT management I doubt it was a failure of the scanning product itself. More than likely the server wasn’t included in the scan job’s scope or something else like that.
But let’s say the scanner had successfully detected the missing patch and reported the vulnerability. There’s no telling if that would have led to the server being patched in time to avert the breach. Given Equifax’s lasei faire approach to responding to patch announcements from vendors and the fact that their network monitoring system had been left blind to traffic from this server due to an expired certificate, it’s not a stretch to imagine the vulnerability scan failing to trigger prompt remediation.
Unfortunately, though, this problem is not limited to Equifax.
Patching is only effective if it is timely and thorough.
But timely and thorough patch management remains an elusive goal.
We know about vulnerabilities and patches in general directly from vendor bulletins and from organizations like CERT and DHS. And our vulnerability scanners stridently report the specific systems missing these patches.
Yet months go by and systems are still unpatched. Why is this?
In this real training for free webinar, we will explore the answers to this question and the solutions. Here’s a few of the points we’ll delve into:
- Organizationally there’s often a lack of clear lines of authority and accountability. The infosec team says “you need to install all these patches”. The server admins say “it’s on our list” or “it’s stuck with the change control board”. And there’s no arbiter.
- Lack of automation
- Lack of integration between vulnerability management, patch management, change control and ticketing systems
- Inability to identify all of the different systems that are in the environment
- Ineffective prioritization, resulting in the wrong things being worked on.
Then we’ll share insights from organizations that have overcome these problems. We will look at how they are structured. Who is accountable. How authority and responsibility flows. How stability and security priorities are balanced.
Then Justin Buchanan from our sponsor Rapid7 will show how the technology side can be addressed through automation and integration with InsightVM.
Please join us for this real training for free session.