The Surprising Equifax Lesson. Patching Isn’t a Strategy.
Everyone has now heard about the Equifax breach. It impacted millions of Americans who will face significant financial and credit risk for years while costing three senior Equifax executives their jobs. There is even talk that a nation state could use the information to target individuals with access to classified information. However, for businesses that care about security, the long-term impact might be worse because the common narrative suggests we are learning the wrong lesson. Failure to patch was a symptom, not the cause of the problem.
Failure of Security Strategy, Not Failure to Patch
When I first heard about the attack details, I was astonished. Equifax was hacked because, according to its former CEO, one person failed to install a patch on a web server. Reportedly, every web server except one had this patch installed on it. So the total compromise of nearly every American’s financial data occurred because one person missed installing one patch on one web server. But neglect around patching wasn’t the core problem. An over-reliance on patching as a defensive security strategy is the real culprit.
As security professionals we know software has flaws. People write software and people aren’t perfect. They make mistakes. We, as consumers of digital technology, have become so accustomed to patches we are numb to it. Some vendors even have names for it, like “Microsoft’s Patch Tuesday” for example. Relying on a purely reactionary approach like patching is a ticking time bomb. Sooner or later you’re going to miss something, like Equifax did, or you’re going to be just a little too slow. Or worse, the bad guys will find a vulnerability in some application themselves and keep it a secret. That happens far more often than organizations are willing to admit. That means there may not even be a patch for you to install. What will you do then? This is reality.
A Systemic Over-reliance on Patching Has Arisen
What is stunning is that there were multiple solutions that would have stopped the Equifax hack. Some of them are even free. For example, Atomicorp’s free web application firewall (WAF) would have prevented this going back to 2015. And, as the former CEO of Equifax said, there was a free patch available for Apache Struts that closed this vulnerability.
How does this reflect on Equifax as stewards of security of financially sensitive data? Not well. Was this simply a colossal failure on their part or is there more to this situation that reflects negatively on the ability of larger companies to implement truly effective cybersecurity? The more I thought about it, the more I think there is a truly systemic problem here in the way too many people think about security. Keeping your patching up-to-date is not the right lesson to take away from Equifax. The real lesson is that faith in patching as security solution has become a recipe for disaster. It has bred over-confidence and the Equifax hack is a result of this broken approach to security.
Why People Focus on Patching
I started in cyber security at the White House in the early 1990’s. Our industry was young then. There were no playbooks. Monitoring wasn’t really an option. We focused on preventing attacks. We also recognized some facts that are still true today. Few people understand cybersecurity, fewer still want to take the time to learn it. And, too many see it as a nuisance that impedes the efficient flow of work. If any of these are true in your experience, the emergence of patching is attractive for three reasons.
- It is an easily understood strategy.
- It is easily measurable.
- It requires little forethought because you just react to information provided by the community of security researchers and vendors.
As attractive as these rationale may be, they don’t address a fundamental problem. When you focus on patching, how do you know if you are succeeding? You simply look at your patching checklist. Did you complete all of the tasks? No? Is your task list finished now. Yes? You are all set and can sleep soundly at night. Except, this is all wrong. Patching is always done after a vulnerability is already known to the community and more importantly to hackers. While it may be easy to patch, if you miss just one system somewhere as Equifax discovered, you have failed catastrophically. That is a wildly fragile system if your job and business are on the line.
Patching is Too Late and Sometimes not Feasible
I am a big proponent of patching. Patch your stuff. It’s just good security hygiene. At the same time, whenever you are patching you are in a race. This isn’t a new idea. Winn Schwartau wrote a book in 1999 titled “Time Based Security” that talks about this race. This is an idea that is almost twenty years old and yet organizations are still relying on patching. Couple this with the fact that hackers often find vulnerabilities long before researchers. This means you are exposed and at risk well before there is a published CVE. It is a race you can’t win. Afterall, who do you think is finding some of these vulnerabilities? It’s not always the good guys.
After every vulnerability is published, every hacker knows about it and some will immediately try to exploit it to catch those unlucky organizations that have not yet patched. There is an entire cyber crime industry that does this and sells access to other criminals. Real economic incentives exist to find vulnerabilities and exploit them before you can patch them.
Finally, let’s face an uncomfortable truth. Sometimes you can’t patch your systems. You might be running an older software version that is no longer supported and there is no published patch. You might have a mission critical operational system that business users will not allow you to take down even for a short period of time. And, as I mentioned earlier, what if there is no patch because only the bad guys known about this vulnerability? There are myriad other reasons, but we all know they exist. The board of directors say patch everything, but the dirty secret is that nothing gets patched before you are already exposed to risk and you can’t always patch. This is a problem.
The Error of the Monitoring-Only Surrender
The monitoring warriors have taken this conclusion to an extreme. They say you can’t patch and hackers are just so clever that defense is useless anyway. Their strategy is to monitor vigorously and deflect intruders before they can do damage, but after they have made it into your network and onto your devices. Monitoring tools are essential to good security hygiene. The attack surface is so vast, complex and variable that there will always be intruders. So, monitor your stuff. However, the monitoring and patching strategies are after-the-fact strategies. What if you are not fast enough to recognize the threat? The Target breach comes to mind. What about defense?
The Importance of Proactive Defense Like WAF
Real security has always been about defense in depth. Layered security starts with prevention. The over-reliance on patching isn’t unique to Equifax. I was at an event in early 2017 that was populated exclusively with senior business and IT executives from global companies. I was told over and over again that they would just patch whatever vulnerabilities were impacting their applications and systems. It was like a broken record. They didn’t really want to talk about security at all and when they did they wanted patching.
A proactive prevention approach starts with recognizing that your software has vulnerabilities in it. Even if it is patched. Period. That bears repeating with an example. Even with every patch installed, Equifax was still vulnerable. We know this because Apache Struts had another vulnerability discovered in it only a few months after Equifax was hacked. Think about that for a moment, even if Equifax had installed all the right patches earlier this year, their systems were still vulnerability to additional flaws in Apache Struts and given their over reliance and confidence in patching it is likely they would have been hacked anyway. Patching is not security.
Real security starts with developing security in depth. For web applications that means implementing tools like web application firewalls (WAF). WAFs restrict what your applications can do, what people can do to your applications and what data can flow out of them using cryptographic anchors to detect and stop exfiltration of sensitive data. You need this because you should not assume your applications are free of any vulnerabilities. Assume that they do.
Simple web application firewall rules would have stopped the Equifax hack. Something as simple as restricting the content of one header in the HTTP protocol to what it should contain would have stopped this hack cold. And, it wouldn’t have broken anything to do this. Don’t trust your applications, protect them. They have vulnerabilities in them today.
The Advantage of Virtual Patching, WAF, DLP and Endpoint Protection Over Patching
You can also layer on virtual patching capabilities that protect your endpoints but don’t require you to take the system offline to install patches This lets you install the patch, without installing the patch. In short, it lets you fix the problem without operational risk. Atomicorp has a number of tools that can help organizations with these challenges from rebootless kernels, virtual patching technologies, zero configuration web application firewalls with advanced DLP, and endpoint protection systems. We have at least three different products, all at low or free price points, that would have each by themselves stopped the Equifax attack even before the vulnerability was even published. They are designed to prevent attacks so you get off the patching treadmill.
However, the point here isn’t that we think our security tools are great. It is important that we continue to focus on prevention because patching and after-the-fact monitoring too often detects the problem too late.It is a race against time that you can’t win every time. Sooner or later, you’ll get hacked. Equifax is just a recent example. The old saying goes, “an ounce of prevention is better than a pound of cure.” This is true in maintaining a healthy hygiene for people and for securing your enterprise.