Please REWRITE
Running head: UNPATCHED CLIENT SOFTWARE
UNPATCHED CLIENT SOFTWARE
Unpatched Client Software
Abstract
The best laid plans never make it through actual contact with the enemy; the same goes for defending networks. This paper examines how unpatched client software can significantly affect organizations. How many times have people ignored the update notification on their systems? How would an everyday user know that the update they are ignoring is critical to the security of their system? There are factors that come with patching a system that for some reason organizations are not understanding. As a result, their systems are being exploited by out of date exploits that should not be an issue. In addition, the paper also offers solutions to reduce vulnerabilities. The intent is to reduce attack vectors for adversaries and to deter them by making entering the network so agonizing that they decide to find a new target.
Information Technology (IT) managers are faced with an ever changing battleground; a battleground that is both logical and physical. This field is inundated by threats and vulnerabilities that must be mitigated or prevented by IT managers; there is also a fundamental difference between threats and vulnerabilities, which will be discussed later. Though several threats and vulnerabilities will be discussed, the single most important cybersecurity vulnerability facing IT managers today is unpatched client software. Methods for prevention of exploitation of vulnerabilities, and potential financial losses will be examined as well.
First, defining a threat: threats to systems involve deliberate malicious intent, sabotage, or human error (Vacca, 2013, p.380). In other words, a threat is an outside source propagating itself to vulnerable systems. Threats give rise to security risks by exploiting weaknesses. For example, a famous cyber attack conducted by Russia on Georgia in 2008. Russian zombie computers conducted distributed denial of service attacks (DDOS) on Georgia’s servers (Dinicu, 2014, p.111). The threat in this case is Russia having deliberate malicious intent to degrade or deny Georgia’s networks. In addition, the DDOS attack exploited the vulnerable server’s in Georgia that could not mitigate the unprecedented amount of fake requests being sent.
Another instance of a well-known cyber threat is Stuxnet, which was a worm that was used in 2010. This malware was believed to be backed by a nation state because of its sophistication. The worm targeted Iran’s industrial facilities that were connected to its nuclear program (Fildes, 2015). The worm targeted the specific programmable logic control software that controlled uranium enrichment centrifuges.
The image above explains how Stuxnet operates (Kushner, 2013).
Stuxnet was one of the largest threats to systems, and there are still variants of it out on the internet. The takeaway here is that Stuxnet was a threat because of it’s deliberate intention to degrade Iran’s ability to enrich uranium. Intention defines what a threat is in the cyber realm.
On the other hand, a vulnerability is a weakness in a system. This weakness allows an adversary to penetrate a system or network (Vacca, 2013, p.541). Vulnerabilities can range from bad coding to weak passwords. Simply put, a vulnerability is an issue that can be identified and repaired. Once repaired the vulnerability is no longer an issue. For example, in 2012 there was a zero day vulnerability in Java 7. The vulnerability allowed for remote execution of code that bypassed authentication (Cve.mitre.org, 2015). This vulnerability was derived from code written in Java 7. The code written for the platform did not have malicious intent, but it left an opening the security of systems. The vulnerability went unnoticed by Oracle before the release, the company that produces the Java platform, and as a result the zero day exploit was proliferated. Security managers advised that users turned off their Java Web plug-in from their browsers, which was complicated because of the everyday use of the platform (Computer News Middle East, 2012). The patch to repair this vulnerability was released the same year in August.
Another example of a vulnerability is Structured Query Language (SQL) injection. SQL injection calls for the modification of SQL statements that are used through the client application (Cisco, 2015). Additionally, the attack can bypass authentication, obtain sensitive information, compromise data integrity, and allow for remote command execution. This clearly demonstrates the definition of a vulnerability. Even though an unauthorized user intends to gain unauthorized access, a system has to have the vulnerability to an exploit. In other words, if a system is a house and the door was locked no one could get in. Leave the door unlocked, and you do not deter anyone from entering.
Subsequently, the four examples previously discussed demonstrate the difference between a threat and a vulnerability. To reinforce the difference between the two, a threat is deliberate and a vulnerability is a weakness. Granted, the question remains of how to better protect a network or system from being exploited by either. It should be noted that no security is one hundred percent secure. The next section of the paper will examine, explain, and give a better understanding of the greatest risk to IT managers: unpatched client software. Unpatched client software is the biggest threat because of technologies inherent inability to be secure. In addition, patching a vulnerability takes time from developers. These type of patches are known as out of band patches and require extra resources in order to fix the problem. Patches only occur if the vulnerability is known. Also, in order for a patch to be applied a user, or administrator needs to tell the system to update.
For example, in May of 2004 Symantec’s antivirus client software had been revealed to have a vulnerability. Symantec released a patch that same month to cover the hole that had been revealed (Symantec, 2006). As stated earlier, once a vulnerability has been identified and resolved it no longer is an issue. However, the Sagevo worm scans port 2097, which Symantec Antivirus software uses for updates. The worm scans for the ports and for an unpatched client software. If the client is not updated with the patch in the anti virus the worm easily gains access to the system.
Another example of an issue with unpatched client software occurred in June of 2006; Microsoft revealed that a vulnerability in Excel was being targeted. User’s were being sent .xls files in emails that would install Booli.a. Booli.a is a backdoor that grants unauthorized access to a hacker. The backdoor allowed a hacker to transform the overtaken PC into a spam zombie (InternetWeek, 2006). The vulnerability in Excel had not been documented and was not known until systems were being targeted. Ultimately, a patch and signatures for antivirus software were released.
In addition, there was an exploitation of a vulnerability in Word the previous month. The vulnerability exploited occurred the day after Microsoft’s monthly security update. Coincidently, Booli.a followed the next month the day after Microsoft’s monthly security update. In an article written by InternetWeek (2006), it speculated that the same hacker(s) were taking advantage of Microsoft’s inability to produce an out of loop patch. The use of this vulnerability addresses another type of issue with patching software.
Developing plans for threats and vulnerability prevention needs to be meticulous, especially if the adversary is using potentially unknown vulnerabilities to a system or network. Subsequently, security of the system and network not only falls on IT managers, but also employees working at the organization. A method for prevention that incorporates several different layers of protection is defense in-depth.
Defense in-depth is by no means a magic pill that cures everything. Defense in-depth provides layers of protection so as to hinder an attacker. The goal is to slow an attacker and buy time so that detecting the attack is possible (Vacca, 2013, p.86). This offers an organization the best chance at reducing costs for possible damages caused by a security breach. In addition, saving organizations the costs from attempting to recover from a successful attack.
Image of losses caused by successful attacks on organizations (Vacca, 2013, p.231).
The above image depicts the financial impacts that cyber attacks have on organizations. The cost of ignoring system and network threats and vulnerabilities are disastrous for a company. However, IT professionals know more about system vulnerabilities there are still users who do not. Hewlett Packard (HP) released a report on cyber risks and found evidence that old vulnerabilities still work.
The image above shows top exploited vulnerabilities (Hewlett Packard Enterprise, 2015).
For this reason, preventative measures need to be redundant. Hewlett Packard Enterprise (2015), also noted that the vulnerabilities being exploited had been patched. This graph demonstrates how users do not regularly update their software.
A method for giving IT managers an insight into the status of their systems is penetration testing coupled with vulnerability assessments, which are a part of defense in-depth. These two tests grant greater security by providing security professionals with critical information which is invaluable, but they also both provide different information to IT managers.
Penetration testing assesses how difficult it is to enter a network as an unauthorized user. In other words, an organization is giving consent to a red team to enter the network unauthorized. Of course, some types of attacks will not be permitted because they could severely hinder daily operations, or create financial losses for an organization. It is possible however, that the test would demonstrate the impact of an attack on everyday operations. The penetration test can also reveal vulnerabilities that more passive methods would miss.
In contrast, a vulnerability assessment conducts passive scans on systems. The scan can also be conducted on bigger networks. Companies can use this without impact to daily operations. This is done by using analyzers such as Microsoft Base Security Analyzer (MBSA), which assess operating system update settings, firewall configuration, password policies, SQL vulnerabilities, auditing, and shared drives. MBSA is just one of several tools available for vulnerability testing, and is considered freeware. There are other products for sale that do similar scans. Using a freeware software such as MBSA reduces costs for conducting the vulnerability scan, which can result in much lower costs than penetration testing. There is also no need for contracting an outside red team. The previous advantages mentioned are why using vulnerability assessment is crucial for security professionals.
The report generated from both tests paints a vivid image of the current state of a network. It is in organization’s best interest to conduct these kinds of test in order to protect the system and their assets. Regardless of the downsides, the potential of an actual breach of the network can greatly outway the risk posed by a hired red team. These are only two layers of defense in-depth.
Another type of defense that can be layered onto the two previously mentioned is developing an information systems security plan. This includes risk analysis, policies, and procedures to leverage more resources for better security. The risk analysis portion first assesses the value of the information on systems. Then threats to the information such as the confidentiality, integrity, and the availability are assessed (Valacich & Schneider, 2014, p. 428). After it is determined which of the systems in the network is most likely to be exploited, security policies are then reviewed and possible policy changes are discussed.
Policies and procedures are created if there is an unauthorized intrusion into the network. Types of policies are: information policy, security policy, use policy, backup policy, account management policy, account management policy, and disaster recovery plan. The policies are made so that users in the organization understand the rules for system use. Policies play an important role in helping bolster a network's defense.
Additionally, procedures are used to help support the policies in place. Procedures dictate steps that need to be taken for personnel training, in the event of breach, or if a disaster were to happen. Personnel training could be argued as the most important of the procedures. As stated earlier, old vulnerabilities are still being exploited, because personnel have not updated their systems (Hewlett Packard Enterprise, 2015). Had personnel been better trained they would know to regularly update their systems. As a result, more resources could be used to better fortify a network.
All of these defensive methods help better secure a network overall. They do not necessarily apply to unpatched client software. The less vulnerabilities there are in a system, the more security professionals can ensure that systems on a network have updated software. In addition, there are more resources to conduct pre-deployment and post-deployment testing of patches. Nothing is one hundred percent secure or functional, including patches. Patches might conflict with configurations with a network, as such testing of the patch should be conducted. IT managers can then configure networks appropriately and without conflict to daily operations.
In conclusion, the key difference of threats and vulnerabilities were defined, and real world examples were used to showcase these differences. Unpatched client software is the biggest threat to IT managers because systems are still being exploited by old vulnerabilities. IT managers are at the mercy of developers to produce the patches; some developers have been proven to lack the urgency to create the patches. The lack of patching can lead to financial losses, systematic compromises, or total production halts. It is recommended to use the methods for preventing the vulnerability such as, defense in depth, security policies, and procedures that were previously discussed.
References
Cve.mitre.org,. (2015). CVE -CVE-2012-4681. Retrieved 11 November 2018, from https://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
Cisco,. (2015). Understanding SQL Injection. Retrieved 10 November 2018, from http://www.cisco.com/web/about/security/intelligence/sql_injection.html
DINICU, A. (2014). CYBER THREATS TO NATIONAL SECURITY. SPECIFIC FEATURES AND ACTORS INVOLVED. Buletin Stiintific, 19(2), 109-113
Fildes, J. (2011). Stuxnet virus targets and spread revealed - BBC News. BBC News. Retrieved 12 November 2018, from http://www.bbc.com/news/technology-12465688
Goel, J., & Mehtre, B. (2015). Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology. Procedia Computer Science, 57, 710-715. http://dx.doi.org/10.1016/j.procs.2015.07.458
Hewlett Packard Enterprise,. (2015). Cyber Risk Report 2015 Executive summary report (p. 6). Hewlett Packard. Retrieved from Ssl.www8.hp.com,. (2015). Cyber Risk Report 2015 Executive summary report | Hewlett Packard Enterprise . Retrieved 15 November 2018, from https://ssl.www8.hp.com/ww/en/secure/pdf/4aa5-0920enw.pdf
Kushner, D. (2013). The Real Story of Stuxnet. Spectrum.ieee.org. Retrieved 12 November 2018, from http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
Microsoft.com,. (2015). Conficker Worm | Remove a Conficker Virus. Retrieved 10 November 2018, from http://www.microsoft.com/security/pc-security/conficker.aspx
Sans.org,. (2015). SANS: The Conficker Worm. Retrieved 10 November 2018, from https://www.sans.org/security-resources/malwarefaq/conficker-worm.php
Symantec: Another Surge In Worm Scanning For Unpatched Antivirus Software; Sensors monitored by Symantec's DeepSight threat management service have reported a significant spike in traffic related to TCP port 2967, which Symantec has traced to scans generated by the 'Sagevo' worm. (2006). InformationWeek,
Unpatched Excel Flaw Surfaces, Attacks Made; Microsoft has disclosed that an attack is in play which exploits an unpatched bug in the popular Excel software. (2006). InternetWeek,
Unpatched Java vulnerability exploited in Blackhole attacks. (2012). Computer News Middle East,
Vacca, J. (2013). Computer and Information Security (Second ed., p. 86, 231, 380, 541). Waltham, MA: Morgan Kaufmann
Valacich, J., & Schneider, C. (2014). Information Systems Today Managing in the Digital World. New Jersey: Pearson.