Depending on where I travel and with which customers I talk, patch management is still the number 1 issue coming up. Not only is the challenge to deploy the updates – much worse, there is still an awareness issue in a lot of markets. People know that they should patch but too often do not do it – and if they do, well, there is no real process attached to it. Additionally, one of the issues I often raise publically is, that a lot of companies still focus on Microsoft products "only". I basically like it, when they keep "our" part of the infrastructure current but there is a lot more…

We all know that the base for any security in any infrastructure is to stay current – often not only on patches but on software versions as well. I guess we all agree on that. But it gets worse. What about firmware and BIOS? How will we be able to keep them current? What do we do with protocols that are flawed, which need a major migration?

The reason, why I come up with this is, that I read three articles this morning all going into this direction:

• Remember the DNS flaw discovered by Dan Kaminsky five years ago: Major DNS flaw could disrupt the Internet? It is basically a flaw in the DNS protocol and the mitigation would be to migrate to DNSSec. Now NIST published a study with the result that 5 years after major DNS flaw is discovered, few US companies have deployed long-term fix – in other words 76% of the US federal agencies, 1% of the US industry and 1% of the US universities have deployed DNSSec…
• You might have read about the UPnP vulnerability, which was published in the last few days? Well, 50 Million Potentially Vulnerable to UPnP Flaws… According to this article, Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. So, let's assume all these vendors publish a fix, a new firmware – do you have any way to deploy this firmware with reasonable efforts?
• Another one (again in the last few days): More Than A Dozen Brands Of Security Camera Systems Vulnerable To Hacker Hijacking.

And there are a lot of similar challenges. How do we handle such updates? How do we even find them? We have seen a lot of these issues recently in hardware and even in goods, which have computers embedded – like cars.

This is still a very, very manual thing and I have currently no idea how to address such challenges besides having a good inventory, and understanding of the business processes to do a proper risk assessment and then a process handling the security updates. What would be needed from your point of view?

My real fear is that we will see the attacks moving down the stack more broadly. If you can control the routers in a target's environment, well this would definitely be an interesting thing.

Roger

This morning I read an article on Infoworld: Why you should care about cyber espionage which – to me – is a strange question. First of all, most companies have to protect some sort of intellectual property. It is not new for the Internet, that state-driven espionage not only targets state's secrets but industrial espionage as well. Therefore Cyber Espionage as it is in no way different than any other espionage. Did you care about losing your intellectual property 20 years ago? Better care about it today as well.

Secondly, if I looked at the targeted attacks companies suffered, they are by no means limited to state-owned infrastructure. It hits private sector companies as well as public sector organizations.

Should you are about protecting your intellectual property? For sure!

Should you defend against targeted attacks? What a question. If you are concerned about this, I recently blogged about a paper we published: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.

So, there should be no separation – just protect your infrastructure and make sure you care about classical network hygiene (as described in the paper above). This is the best first step to happiness J

Roger