As technology develops and grows, so do cyberattacks. The National Cyber Security Centre (NCSC), between October 2016 and the end of 2017, and 762 less serious incidents. And the problem continues to ramp: reports “attack volumes increasing across all industries between 2018 and 2019 and the most common attack types accounted for 88% of all attacks: application-specific (33%), web application (22%), reconnaissance (14%), DoS/DDoS (14%) and network manipulation (5%) attacks”. recorded 34 significant cyberattacks NTT Ltd.’s Global Threat Intelligence Report This year is not an exception. Hackers exploit the COVID-19 panic to create websites posting ‘official’ COVID-19 information but actually acting as malware or trying to steal user’s personal data. Organizations cannot wait for a punch card with a patch.  They need . Let’s take a closer look at the most known vulnerabilities that impacted the businesses dramatically. a solution to automatically patch a vulnerability as soon as possible Vulnerabilities That Changed the Patching World Heartbleed is a vulnerability in the OpenSSL cryptographic library. The Heartbleed bug allows an attacker to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The Heartbleed Bug VMware Case According to the , more than 50% of vCenter servers and ESXi hypervisors were not patched and remained unprotected three months after the patch was released. If you look at the “ ” section, you surely will be surprised. How much time do we need to finally get rid of Heartbleed? CloudPhysics study Rate of patching is slowing down Source: CloudPhysics study Conclusion Various compliance standards and strictly shrink the patching window. Now in most cases, within 30 days to remain compliant. Years ago (“Some industrial sectors require 99.999% or greater ICS uptime. This requirement relates to 5 minutes and 35 seconds or less allowable downtime per year for any reason, making unscheduled patching out of the question.”). These days everyone needs this level of uptime no matter what industry it is. Before, was just a recommendation, but now the lack of it means non-compliance. guides you have to patch your infrastructure the main focus was on industrial uptime planned patching Shellshock is a privilege escalation vulnerability. If exploited, the vulnerability allows an attacker to run commands remotely. Shellshock is an example of arbitrary code execution (ACE) vulnerability. It can be easily exploited through web applications running on a vulnerable server. Shellshock Yahoo Case It sounded like a joke but it wasn’t when using the Shellshock vulnerability. Like many major companies, Yahoo has a bug bounty program spending a lot of money not only on inside threats monitoring systems but inviting external sources, specialists, and experts. media reported that Yahoo was hacked Conclusion From the , we can see that time spent on monitoring systems for threats and vulnerabilities grows each year (127 hrs and 139 hrs spent weekly in 2018 and 2019 respectively). Add here time spent on applying patches, documenting, coordinating, and reporting and you can see how the total (both in time and money) spent annually on vulnerability management can skyrocket. The numbers tell the stories best. Ponemon Institute study Source: The “Cost and consequences of gaps in vulnerability response” report (independently conducted by ) Ponemon Institute LLC Source: The “Cost and consequences of gaps in vulnerability response” report (independently conducted by ) Ponemon Institute LLC The possible damages to individuals, businesses, and industries heavily in development, audit, testing, and security. But can you imagine that you just can pay once and stay safe by getting patches against all known and new vulnerabilities without a need to investigate, schedule, apply, and reboot? enforce us to invest Meltdown, Spectre, and Zombieload exploit critical vulnerabilities in modern processors. They allow an attacker to steal data currently processed on the computer. Most affected are large cloud services and enterprises that process private customer data. Meltdown and Spectre One more critical bug in modern processors, allows stealing sensitive data and keys while the computer accesses them. The attack can affect all Intel’s processors since 2011. Zombieload Intel Case The hysteria around Intel and Meltdown, Spectre, and Zombieload has now calmed down a bit but was like two tsunami waves back in 2019. : 100 million servers, 600 million PCs, and about 1.7 billion smartphones were vulnerable. The facts are Source: ITCandor, "Meltdown and Spectre – 2.7b vulnerable devices and a $37b bill for mitigation" This equates to billions of reboots. Although most companies using Intel’s chips quickly applied their patches the bad taste lingered. Conclusion One vulnerability can seriously damage a company’s operations and reputation as it happened with Intel. , , Meltdown and Spectre . Zombieload Zombieload2 were fixed by KernelCare without reboots Conclusion Disciplined patch management has become more critical as the number of vulnerabilities continues to increase. The consequences of being shortsighted or lax in the process become more and more devastating. If you have a good security policy, the right tools, and people who know how to manage them you can minimize risks. Even better if you have a toolset that automates the process and applies patches to infrastructures while they are operational. Try KernelCare free on all your servers for 7 days and tell us what you think.

Waves

Intel

Get KernelCare+ free trial now

Too Long; Didn't Read

Cassandra Forward a free Cassandra-focused community event

How The Rise of Vulnerabilities Has Shaped Modern Patch Management Practices

Too Long; Didn't Read

Company Mentioned

Coin Mentioned

@kernelcare

RELATED STORIES