Software patches are not a cyber security strategy
By Ralph Aceves
HackerStrike Corporation
April 2021
Software and patches are driving the ransomware economy. After a successful cyber attack, the affected software vendors rush to send software patches. This cycle repeats itself over and over. Why can’t software patches solve cyber attacks and specially ransomware attacks?.
The answer lies in the way legacy software products are architected!. The vast majority of the installed products were never designed to withstand the new threads now being introduced by cyber criminals. The software patches are just that, patches or band aids to solve cyber security problems temporarily.
Software updates to fix known issues are extremely important and everyone should keep the products up to date as much as possible.
The ransomware economy has been helped by the way software updates are announced and applied. As soon as a vulnerability is uncovered, thousands of hackers start launching targeted attacks and sharing information among themselves to increase their financial intake.
The risk of vendor update announcements
Software update announcements to fix vulnerabilities alert the cyber criminal community of a known weakness. These announcements generate a high level of activity by these criminals and attacks increase dramatically. Unfortunately, it is almost impossible to keep the software update information private.
There is a lag time between a vendor announcement and the time companies apply the updates. In many cases these updates are never applied for a number of reasons, such as lack of resources, update announcements never get to the people responsible, costs, etc.
A vicious cycle has been created between the way updates are announced and the cyber criminal community. The damage created by the lag time between announcement and application of updates is incalculable.
For example:
After Microsoft announced patches to Exchange Server, attacks increased against unpatched systems. Information of vulnerabilities were so detailed, that it was not difficult for hackers to quickly launch their targeted attacks against them.
A study titled “Does information security attack frequency increase with vulnerability disclosure?. An empirical analysis by Ashish Arora & Anand Nandkumar & Rahul Telang 2006, showed there is a relationship of increased attacks between patch announcement and patch application.
Software patches are not a cyber security strategy
While it is highly recommended that all systems are up to date with the latest software patches, it is not a practical strategy from a cyber security standpoint.
Organizations need to have a comprehensive plan to ensure their systems are secured, even if they are not up to date. Zero-day attacks or malware previously unknown, represent the biggest threat.
The term “zero-day” refers to a new or unknown malware or a new or unknown vulnerability, combine both and you have a lethal attack. Because the vendor has just learned of the flaw, it also means an official patch or update to fix the issue hasn’t been released.
“zero-day” refers to the fact that the developers have had “zero-days” to fix the problem that has just been uncovered.
Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the issue to protect its users.
But the software vendor may fail to release a patch before hackers manage to exploit the security hole. That’s known as a zero-day attack.
A new approach is needed
The approach taken in the past to prevent intrusion and data theft such as firewalls, antivirus products, VPNs, isolation, etc. were effective as most organizations kept their critical systems within their own data centers.
As these organizations moved to the cloud and their users accessed cloud based services, these legacy security products have become less effective. The new trend to have employees work from and in many cases use their own equipment has just exacerbated the problem.
In order to combat the speed and complexity of new attack methods, a new approach that leverages deep device behavior and anomaly analysis is needed.
Artificial intelligence and machine learning technologies are being used as the foundation for new cyber security products that can detect zero-day attacks at the speed required to be effective.
As a matter of practice all systems should have fundamental security features that provide protection, even the system is not updated.
Ralph Aceves
HackerSrike Corporation
