In early May, security experts warned of a new software vulnerability that had the potential to wreak havoc on a global scale. It could be even worse than the infamous WannaCry ransomware worm which caused chaos around the world when it landed in 2017, they said. Unfortunately, more than two months later, hundreds of thousands of machines are still vulnerable to the Bluekeep flaw.
Yet firms need to do more than simply patch this bug now. They need to get to a point where they are automatically fixing similar high-risk security problems without the need for manual interference – and doing so as part of a multi-layered security effort.
What is Bluekeep?
Also known more formally as CVE-2019-0708, Bluekeep is a remote code execution vulnerability in Windows Remote Desktop Services (RDS). Bluekeep affects a huge range of machines: from Windows XP up to Windows 7 and Server 2003 to Server 2008 R2. Most importantly, it’s capable of spreading without user interaction. This “wormable” characteristic makes it particularly dangerous because it allows attackers to remotely take control of an infected machine.
Even worse, researchers have already developed workable exploits for the vulnerability. If the good guys have managed this, you can bet that the black hats will also be working on something. New research from security vendor BitSight could give them extra impetus to do so. It found that as of 2 July, a total of 805,665 systems remained at risk – a decrease of just 17% from 31 May.
The most responsive verticals have been Legal, which reduced affected systems by 33%, Non-profit/NGO (27%) and Aerospace/Defense (24%). The worst performers were Consumer Goods (5%), Utilities (10%), and Technology (12%).
A wider problem
It’s not all about Bluekeep, of course. Every year tens of thousands of vulnerabilities are discovered. Over 22,000 were disclosed in 2018, and Microsoft alone has patched several hundred flaws already this year. Vulnerabilities are a key tool in the cyber-criminals’ arsenal. By developing exploits for these, they can find ways to:
- Eavesdrop on communications
- Remotely control victim computers
- Lock down systems with ransomware
- Illegally mine for cryptocurrency
- Steal personal and corporate data for use in fraud, or to sell on the black market. Nearly 60% of organisations that have suffered data breaches in the past two years claimed this was down to an unpatched vulnerability
What’s more, the bad guys are getting increasingly adept at locating these vulnerabilities in companies’ IT systems. The use of automated scanning tools is on the rise: last week it emerged that 62 US colleges and universities had been compromised via an unpatched bug in commonly used ERP software.
The problem with patching
This all adds ever-greater urgency to the need to patch such vulnerabilities as soon as they are discovered. But with so many being disclosed each month, in a variety of systems, knowing which to prioritize can become a major headache for IT security teams – especially those in smaller firms.
Their job is made even harder by the rapid expansion of digital systems, including smart devices and cloud accounts, all of which need patching. The unintended consequence of digital transformation is that it also increases the corporate attack surface.
Automating the problem
The good news is that automated patching tools exist. Companies can use them to prioritize and patch vulnerabilities as soon as a fix becomes available. This not only helps by freeing up stretched IT teams to work on more important tasks, but it reduces the risk of an organization being compromised by a known vulnerability.
This is important: in 2017, credit agency Equifax was breached after it failed to patch a known vulnerability in the Apache Struts framework. The resulting fallout has cost the company an estimated $1.4bn in IT costs, legal fees, and free credit monitoring for customers. The latest reports suggest the firm could also be hit by a regulatory fine of up to $700m.
However, patching is only one piece of the corporate cybersecurity jigsaw puzzle. It’s a great start in helping to reduce risk, but it must be accompanied by other best practice measures, including:
- Application whitelisting (control) to combat zero-day threats
- Continuous network monitoring
- Staff training (phishing awareness)
- Strong encryption for sensitive data at rest and in transit
- Privileged account and identity management, including MFA (multi-factor authentication) as standard
- Endpoint, network, server and web/email gateway protection, ideally from a single reputable provider
- Mobile device management tools
For those still struggling, best practice cybersecurity frameworks like those produced by NIST offer a useful place to start.