Reading Time: 3 minutes

3 MINUTE READ

High Number of September Vulnerabilities Illustrates Need to Patch

SmartphoneSecure-dan-nelson-ah-HeguOe9k-unsplash-1024w
Joe Howland
Joe Howland, Chief Information Security Officer

During the past week, we’ve received a lot of questions about an Apple security vulnerability that hit the headlines. To summarize the issue:

  • A zero day vulnerability (defined as a software vulnerability previously undiscovered) was discovered last week that potentially allows hackers access to an Apple device.
  • It is an unusual “zero-click exploit,” meaning that you don’t have to click on a malicious link or attachment for malware to get activated.
  • The exploit originated with an Israeli company, the NSO Group, that used this vulnerability to spy on a Saudi activist.

Obviously, this is a vulnerability that you want to patch immediately. But it wasn’t the only concerning vulnerability that appeared last week. In fact, the additional vulnerabilities that were discovered might be even more concerning—despite not getting the headlines that the Apple vulnerability received.

  • Microsoft Windows: A zero day vulnerability emerged that could allow a cyberattacker into your systems through a malicious Microsoft Office document. In addition, dozens of other vulnerabilities were identified ranging from one that exploits old Windows operating systems (such as Windows 7) to a lingering cyber issue with printers.
  • Adobe: About a dozen critical vulnerabilities were identified in popular software applications such as Adobe Acrobat and Adobe Reader.
  • Google Chrome: Two zero day vulnerabilities were identified that could give a hacker control of your system.

The Microsoft, Adobe, and Chrome vulnerabilities that appeared last week are far more significant and have a much larger potential impact on entire IT environments versus the threat to single devices from the Apple vulnerability.

When headlines appear, you should not worry. If you are worrying, then you may need to reexamine your patching policy and procedures. Review these best practices with your IT staff or vendor to see if you need a more proactive plan in place.

1. Apply critical patches when they are released from the vendor.

No ifs, ands, or buts. Sometimes, you may need to slightly delay applying patches for technical reasons, but you need a plan in place where you regularly and consistently apply patches. Hackers actively exploit organizations that do not patch, and many of the biggest data breaches, malware attacks, and other cyberattacks occur because an organization failed to apply a simple patch.

If you worry about interruptions to employee work or the time it takes to apply patches, then consider working with experienced IT engineers who understand the patch management process. They can help you build a proactive patching plan that alleviates operational hassles such as employee interruptions and manual staff time. (For example, they may apply patches after hours or on weekends.)

Also, while tools exist to manage mobile device patching, many organizations do not have this management layer deployed. If this is true for your organization, then we recommend you ensure that all mobile devices are set to automatically apply software updates so that patches are deployed in a timely fashion on smartphones and tablets.

2. Modernize hardware and software.

Many organizations use outdated hardware and software no longer supported by the vendor—meaning no more patches are provided. As hardware and software ages, it becomes more vulnerable—leading to gaping security holes. For example, one of the Microsoft vulnerabilities from last week is especially troublesome if you are still using Windows 7—which is still used by 8 percent of devices in the United States.

While hardware and software modernization may involve an upfront cost, the benefits to your cybersecurity, IT maintenance, and productivity more than make up for the cost.

3. Implement endpoint detection and response (EDR).

We’ve written about EDR in more detail elsewhere, but it’s important to reiterate that you need this important tool to detect suspicious activity within your systems. Antivirus cannot detect if a cyberattacker is using Windows, Chrome, or Adobe in malicious ways. EDR can.

EDR is a tool that watches for suspicious activity such as a cyberattacker using legitimate credentials or applications for sinister purposes. It gives you a way, continuously and in real time, to detect suspicious activity within your systems. EDR is now affordable and easy to deploy, with minimal disruption to your employees. Better yet, if a cyberattacker does get inside and acts maliciously, you can shut down and quarantine devices before the malware or cyberattacker gains access to your entire network.

Use these recent vulnerability scares as a reason to examine how you currently patch your hardware, software, and systems. You may need the help of IT professionals if you are unable to keep up with the patching process. If you’re concerned about your ability to stay ahead of zero day and other vulnerabilities, reach out to us through the form below.