Today’s security landscape is filled with nonstop ransomware attacks and massive incidents plaguing headlines every day. While patching may seem like a simple solution to a growing problem, IBM’s X-Force found that more than a quarter (26 percent) of all cloud compromises were caused by attackers exploiting unpatched vulnerabilities. Even more concerning, IBM’s penetration team was able to compromise the credentials of 99 percent of the cases they encountered — an ability that could easily become detrimental in the wrong hands.
While these numbers are shocking, we must ask the question: How did we get here?
Let’s begin with the hard truth: organizations are not as good at patching as they think they are. While some patches might be missed through poor patch scanning processes, the likely cause is that while vulnerabilities are in fact being discovered — or at least somewhat known — by security teams, they are not getting patched quickly enough. There can be any number of reasons behind why your team might be struggling to keep up, whether it’s the difficulties of implementing the fixes, being able to do so quickly enough so as to not disrupt the rest of the network, or just long-established development cycles.
When it comes to securing credentials, outdated methodologies are a major contributor to compromise. Several years ago, NIST encouraged organizations to forget about things like frequent password resets or complex, hard-to-remember passwords. Rather, they advised the use of passwords that are easier to remember, but very long — think 64 characters in length. To supplement this, NIST recommended the use of password managers to securely store the passwords. While this was an unbelievable statement of common sense as opposed to password “rituals” that many had become familiar with, it is sound guidance that, when paired with Multi-Factor Authentication, will make the difference and shift the paradigm away from old-school methods.
What can organizations take away from this?
IBM’s recent report showcases the challenges that many security teams face, but understanding the problem is half the battle. To truly combat the ever-shifting threats that bad actors pose to organizational vitality, executive leadership must emphasize the use of standardization and automation to control the attack surfaces, ensure that all systems are being scanned for missing patches and that the patches are being implemented — even at the cost of productivity, uptime and development cycles. Risk acceptance of unpatched vulnerabilities is often far too lenient and the focus must be on the elimination of unpatched vulnerabilities, rather than willfully ignoring them until the next patch cycle comes around. They must also supplement these efforts with smart credential security and follow the guidance of industry organizations like NIST at all times.
By prioritizing stronger security protocols, patching expeditiously, and implementing tools that can ease the burden on time, budget and energy, security teams can strengthen their security postures to get ahead of the game and eliminate as many options as possible for threat actors to get inside their networks.