Depending on where I travel and with which customers I talk, patch management is still the number 1 issue coming up. Not only is the challenge to deploy the updates – much worse, there is still an awareness issue in a lot of markets. People know that they should patch but too often do not do it – and if they do, well, there is no real process attached to it. Additionally, one of the issues I often raise publically is, that a lot of companies still focus on Microsoft products "only". I basically like it, when they keep "our" part of the infrastructure current but there is a lot more…
We all know that the base for any security in any infrastructure is to stay current – often not only on patches but on software versions as well. I guess we all agree on that. But it gets worse. What about firmware and BIOS? How will we be able to keep them current? What do we do with protocols that are flawed, which need a major migration?
The reason, why I come up with this is, that I read three articles this morning all going into this direction:
And there are a lot of similar challenges. How do we handle such updates? How do we even find them? We have seen a lot of these issues recently in hardware and even in goods, which have computers embedded – like cars.
This is still a very, very manual thing and I have currently no idea how to address such challenges besides having a good inventory, and understanding of the business processes to do a proper risk assessment and then a process handling the security updates. What would be needed from your point of view?
My real fear is that we will see the attacks moving down the stack more broadly. If you can control the routers in a target's environment, well this would definitely be an interesting thing.
My experience is that there is essentially zero security awareness on non-PC or Windows server network devices. One giant glaring hole is those departmental sized muti-function printer/scanner devices. Many of which run a customized xNix operating system, have exposure on common web ports, usually quite weak security and rarely if ever centralized management of the devices. One company I worked at had over 3000 of these on the wire running a known vulnerable version of Apache on a 7 year old BSD Unix kernel under the hood. Even if they had the desire to update and patch them, the vendor provided no way to do that other than visiting every one of them by hand! Ticking time bomb....