In 2017, Equifax - a major credit bureau in the United States - suffered one of the most high-profile and devastating data breaches in history thanks to a vulnerability found in the open source Apache Struts web application framework. While this incident put the personal data of over 143 million American citizens at risk, what made it particularly troubling was the fact that an official patch had been released to mitigate the issue two months earlier; and Equifax neglected to apply it.
According to a recent report from the Ponemon Institute and ServiceNow, 57% of companies that have fallen victim to a data breach in last two years were compromised under similar circumstances - through the exploitation of a known, yet unpatched vulnerability. 57%. That's a staggering 3 out of 5 companies that could have spared themselves a ton of time and money, not to mention the loss of public trust and what I can only assume was innumerable sleepless nights, had they only practiced good cyber hygiene.
Like good personal hygiene, good cyber hygiene is about diligence, not intelligence. While there's no shortage of attack vectors an adversary might try to use in an effort to breach your security, an overwhelming majority of them are known vulnerabilities that your attacker is hoping you haven't taken the time to remediate yet. Don't make it easy for them. Be proactive. Increase visibility. Patch your shit. Make a targeted effort, and make it daily.
Cyber Hygiene Essentials
When I was in the 6th grade, I had a music teacher who used to say that "practice doesn't make perfect; it makes permanent." In other words, it's not enough just to do the work, you have to do the right work. While he was preaching the importance of establishing good habits in music education, I've always felt the principle applied particularly well to information security. In the case of cyber hygiene, "good habits" means applying operating system and software patches in a timely manner; it means staying on top of the deployment of third-party software; and it means understanding the management and configuration of devices that are under your control. These are activities that, when practiced daily, become ingrained in the culture of an organization and improve security across the board.
Operating System Patching
Patches. Hotfixes. Upgrades. Updates. While the terminology differs from vendor to vendor, the basic principle remains the same: something about your operating system needs a-fixin'. Distributed either through an operating system's package management system, or by their own built-in proprietary upgrade solution, operating system patches are often the most critical—and least avoidable—updates that can be applied. Vulnerable software can be removed or replaced, if necessary, but a machine can't run without an operating system, so applying available updates is crucial to ensuring the underlying security of a given device.
The importance of operating system patches is especially apparent in the case of the recent Meltdown and Spectre exploits. As hardware vulnerabilities, mitigation is best done at the hardware level, however the time it takes for hardware manufacturers to fix the problem, redistribute new product, and get that product replaced in every affected device is far from ideal. This is where operating system patches come into play. Where hardware upgrades are impractical, operating system patches are significantly easier to test, apply, and distribute.
That said, not all operating system patches are created equal. Just last year, Apple released an update for macOS High Sierra that inadvertently exposed a passwordless administrator account on every machine that applied it and, in their rush to patch the vulnerability, spent the next few days fixing and then un-fixing the problem. But not applying patches isn't a viable option, so to better facilitate the deployment of critical patches, establishing a test environment to verify the impact of any new operating system updates can go a long way towards building confidence in them without disregarding them entirely.
There's a reason the Automox slogan is #patchyourshit. It's important and frankly not all that hard. But, what exactly is software patching, and how does it differ from operating system patching? In a nutshell, operating system patches are released by the operating system's manufacturer, typically through a proprietary release channel built into the operating system itself. Software patches are released directly by the individual software vendors through any number of different channels; such as app stores, package managers, proprietary upgrade solutions, and manual binary releases.
In some instances, there is little practical difference between operating system and software patching processes. For example, in the case of Linux-based machines, where built-in package managers deal with the installation and management of both the operating system and the majority of installed software. In other cases, software vendors are often left to their own devices when it comes to patching, leading many of them to develop proprietary upgrade solutions. While it can be difficult for an adversary to compromise upgrades distributed through a package manager or app store, these proprietary upgrade solutions have been shown to be more vulnerable to attack. It is crucial to vet all software patches in the same way you would vet operating system patches.
Last year, hackers modified the downloadable binaries of the popular CCleaner application for Windows, enabling them to install remote execution tools onto more than 2 million machines under the cover of a legitimate application. While trust in your vendor is important, even the most well intentioned firms can be compromised. So, as the Russian proverb goes, always trust, but verify.
Managing the Deployment of Third-Party Software
When it comes to good cyber hygiene, patching known vulnerabilities in endpoint operating systems and software is only half the battle. Whether due to deprecation of deprioritization, sometimes patches aren't released for applications with known vulnerabilities. Getting visibility into the software that is installed on the machines under your control and removing, upgrading, or replacing it can be the difference between good security and no security.
Managing the deployment of third-party software means developing an understanding of what software your endpoints require, where to get it, how to install it, and what it takes to manage their upgrade paths. Where patching can often be done passively the case of most common bugs, managing the deployment of third-party software requires diligence. It means verifying the integrity of deployed software immediately and often, and auditing the devices under your control in order to identify out of date software early.
While deprecated and unsupported software should be treated as a security problem, with the removal and replacement of it flagged as a top priority, identifying and removing unwanted software shouldn't be ignored either. Allowing end-users to install software they need or want is a double-edged sword. On one hand, a certain level of autonomy will reduce IT backlogs and improve employee productivity, but on the other hand there needs to be some accountability to ensure that users are not installing software that puts company data at risk. By frequently auditing the software that is deployed to managed endpoints, ensuring those devices have, or don't have, certain applications is a great step towards a healthier cyber hygiene strategy.
Managing Endpoint Configurations
In addition to managing the deployment of third-party software, it is also important to manage the configuration of the endpoints that software is installed on. Operating systems are hardly black boxes. Each one has a host of different security, privacy, and personalization settings that can be tweaked to improve the experience and safety of the device, so automatically identifying and applying these settings across endpoints can go a long way towards improving the cyber hygiene of an organization.
It is worth noting that there is a difference between the management of "user" and "server" endpoints. For one, server endpoints can be more easily managed by using any number of configuration management platforms. Puppet, Chef, and Ansible are all excellent tools for automatically enforcing configuration settings on application servers. User endpoints, on the other hand, require a different touch. Usability, productivity, and communication are all things that can be impacted, so remote management can be a challenge using the tools above. In many cases, user endpoint configuration management is more about education than enforcement. For example, users often indefinitely defer patch installations because they don't understand the consequences of doing so.
To better improve the reliability and security of endpoint configuration management, identifying the impact of all configuration changes prior to releasing them to endpoints can ensure that the process is smooth and worry-free. Applying a continuous delivery methodology to configuration management can ensure that incoming patches and configuration changes are validated against a test server to verify that the expected behavior of the software installed on each endpoint does not change. Once done, the configuration changes can be automatically applied to production endpoints safely and securely.
It is important to remember that cyber hygiene is a journey, not a destination. While the information above outlines the very basics of cyber hygiene, there is always so much more to learn to better protect yourself. In this series, I will be doing a deep dive into the underlying components of cyber hygiene so you can better understand how they all come together to improve your security. From the inner workings of operating system update solutions and package managers to methods for managing endpoints and the deployment of third party software on them, I hope to help you build a foundation for your own cyber hygiene practices.
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.