Despite months of dire warnings about the threat potential, researchers say the vast majority of vulnerabilities in the widely used Apache Log4j logging utility for Java software remain unpatched and actively exploited. New research suggests that more than 90,000 Internet-facing Java applications and nearly 70,000 servers remain exposed to the flaw that enables attackers to remotely execute code on compromised systems.
The apparent indifference to this critical vulnerability is symptomatic of a much larger issue in the cybersecurity world — unpatched vulnerabilities remain the most prominent attack vectors being exploited by cybercriminals. Numerous studies find that between 60 percent and 85 percent of all network intrusions involve unpatched software vulnerabilities, most of which have available patches that have not been applied.
Old, unpatched vulnerabilities often come back to haunt organizations. More than 100 vulnerabilities identified prior to 2021 continued to be actively exploited by ransomware groups, according to the latest version of the Ransomware Spotlight Report from Cyber Security Works. Approximately 60 percent of companies that experience data breaches say they might have prevented the attacks if they had patched known vulnerabilities, according to a Ponemon Institute report.
Low-Hanging Fruit
Of course, one of the most notorious data breaches in history resulted from the failure to patch. The 2017 Equifax breach that exposed sensitive financial information for nearly half the U.S. population occurred when hackers exploited a flaw in the Apache Struts framework — two months after a patch had been issued.
Old vulnerabilities are low-hanging fruit for ransomware gangs and other threat actors. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have previously warned that nation-state hacking groups from Russia, Iran, China and North Korea commonly exploit dated and publicly known vulnerabilities because such attacks require far fewer resources than creating new exploits.
These factors reinforce the importance of consistent patch management practices, but cybercriminals understand they have the upper hand. Defenders don’t always have the time or resources to keep up with the latest patches.
In 2021, a record 21,957 common vulnerabilities and exposures (CVEs) were added to the U.S. government’s National Vulnerability Database — an average of more than 420 per week. Considering it can take a month or more to coordinate the application of a single patch across an entire computing environment, it’s virtually impossible for resource-strapped IT teams to test and apply patches fast enough to stay ahead of the game.
Patch Triage
Given the sheer numbers involved, it is vital that security teams don’t waste time and resources on vulnerabilities that pose minimal risk. An effective patch management program must focus on identifying and prioritizing the most high-risk flaws. However, too many organizations are limited due to a reliance on manual processes for evaluating vulnerabilities and tracking patch status.
Automated patch management solutions can dramatically streamline the process. These solutions scan endpoint nodes across the network to identify which devices need patching, automatically download needed patches from vendor sites and set a schedule for deploying patches in staggered intervals to minimize service interruptions.
Many organizations further reduce their burden by working with a managed services provider who has already invested in automated solutions and the training they require. A provider can enhance the process by testing patches before implementation and then verifying they are working correctly after they’ve been applied.
Malicious actors are constantly scanning networks looking for unpatched vulnerabilities that will provide an opening. Consistent patch management can eliminate any potential shortcuts. Give us a call to learn more about improving your patch management capabilities.
