author photo
By Bruce Sussman
Tue | Jan 7, 2020 | 10:52 AM PST

It's been months since a patch came out to protect users of Pulse Secure VPN, which is a widely used enterprise remote access product.

And when security researcher Kevin Beaumont saw hackers trying to exploit the Pulse Secure vulnerability, he immediately warned about it:

"I sent up the flare that organisations needed to urgently patch this."

Yet, the year ended and a new decade began and now Beaumont is blogging about the vulnerability again, because he sees attacks underway:

"...being used to deliver ransomware into organisations, with targeted delivery to also delete backups and disable endpoint security controls."

He calls this Sodinokibi (REvil) strain"big game ransomware" and says he's certain of attacks against organizations that have failed to patch.

Did we already forget about the unpatched Apache Struts vulnerability that led to the Equifax mega-breach?

Why do some organizations ignore urgent patches?

Beaumont points out that many organizations struggle to patch things outside of the Windows ecosystem.

The security leaders we talk to at SecureWorld conferences tell us this can be due to a lack of resources or a lack of processes to scan for and mitigate patches coming out.

Regardless, the decision puts organizations at unnecessary risk and creates low-hanging fruit for hackers.

Why do we do this to ourselves?

An analogy on why organizations fail to patch

Sounil Yu, a member of the Board of Advisors for venture capital firm Strategic Cyber Ventures, offers up the best analogy we've seen.

"Suppose a home inspector came to your house and told you that your house is vulnerable to a Category 1 hurricane. If you lived in Florida, you're in trouble and you better start fixing your house right now before June when the hurricane season will be in full swing. Fixing the house will require lots of renovation and downtime.

If you live in Alaska, you'd shrug and ignore the vulnerability report because the expected loss is not worth the downtime and renovation costs. If weather patterns change and tornadoes became sufficiently frequent in Alaska, your risk management calculus may change and you may choose to take the downtime hit.

There are those running PulseVPN who know they live in Florida and took action immediately. There are those that live in Alaska and ignored the warning. There are those that will realize that weather patterns have changed (via news/threat intelligence of increased attacks) and will take action right now."

Some, he says, still don't get it:

"Then there are those that think they live on an island near Alaska but due to continental drift, now live near Florida and don’t realize it. There are also those that aren't aware of the changing weather patterns and will be in for a nasty surprise when they find their house flattened."

Is patching at the end of its useful life?

This issue of patching, which keeps coming up, reminds us of our interview with Bruce Schneier at SecureWorld Boston. He calls patching a "failed security paradigm" and says the Internet of Things (IoT) may be patching's ultimate downfall:

"Patching is kind of reaching the end of its useful life. It works, really, because the things we're patching are expensive and maintained by tech companies. They're laptops, they are computers, they are phones. And that whole patching ecosystem is predicated on there being engineers at Apple and Microsoft and Google who can write these patches and push them down.

You start moving to low-cost embedded systems like DVRs and home routers and appliances, and there are no engineers to write patches. There's no mechanism to get the patches to the systems. So that's going to fail pretty badly." 

Listen to our podcast interview with Bruce Schneier below.

Regardless of how you view patching, failing to patch your Pulse Secure VPN vulnerability puts a target on your organization's back.

Take it from security researcher Kevin Beaumont:

"You need to patch... As I write this, there's still over a thousand unpatched devices in the US alone."

That's 1,000 organizations which are currently low-hanging fruit for hackers.

[RELATED: Podcast interview with the director of the world's largest vendor agnostic bug bounty program on How Patching Helps Security]

[RELATED: Companies Without Cyber Resilience Plans Are Closing After Cyberattacks]

Comments