Security news that informs and inspires

Opinion: 4 Reasons Why Organizations Can’t “Just Patch”


Now that most of us have dried our tears, it’s time to take a clear-eyed look at what the WannaCry debacle uncovered, and the most recent MaybeNotPetya attack highlighted this week.

Taken by themselves, there were no new elements: ransomware; a known vulnerability; a worm spreading via a protocol that we knew should not be exposed to the Internet; abuse of operating system utilities; and an anti-sandboxing function in the WannaCry malware. We knew there were countless vulnerable systems running software that was out of support, out of date, or simply unpatched. None of this was a surprise to anyone in security.

What always seems to take some by surprise, however, is that no matter how much we talk about patching, it doesn’t happen in many cases. In fact, organizations with the most critical functions appear to struggle with software updates. It’s almost as if talking about the problem and “raising awareness” isn’t enough to actually solve it. Like the old joke about the scientist and the frog, if you cut off all four legs, the frog mysteriously loses its hearing.

So what’s keeping these organizations vulnerable, and what can we do about it, other than scolding harder until morale improves? Here are some of the factors:

If the system isn’t under your control, you can’t update it. The issue is widespread, especially among organizations below the security poverty line, but it applies just as much to financial trading terminals and banks as it does to the network run by a centralized higher education system. Voiding the warranty and licensing terms by doing your own patching is not an option for most enterprises, even assuming you know how to do it.

Organizational constraints, particularly in the public sector. Taxpayers aren’t going to pay to update hardware and software that are working just fine. Legislative mandates, spending cuts and administrative rules designed to place controls on government also interfere with the agility necessary to keep up with security threats.

“Built to last” directly conflicts with “update early and often.” When you’re paying millions of dollars for an MRI machine and suite, you expect it to last for decades, and indeed it was built for that purpose. The idea of changing it by updating the software on a weekly or monthly basis was unthinkable when most of these were built. Because patient safety is paramount, healthcare systems cannot be updated if doing so will threaten their availability. Even if the software is patched, it requires a new round of safety certifications that take months.

Any system with external, highly entangled dependencies will take longer to update — even years, as integration testing, certifications, regulatory alignment in multiple countries, and staged deployment must all be carefully scheduled. Such entangled systems will also tend to have a longer tail, as trailing populations of users with more restrictions take longer to catch up. Microsoft discovered this with Windows XP, a perfectly functional operating system that works so well that it’s been deployed in everything from kiosks to equipment, and has been running for years. Acknowledging this reality, the company has issued updates for the large and critical body of legacy systems out there.

Expecting every company to adopt DevOps and be a Netflix isn’t practical; we go to war against malware with the systems we have, not the ones we wish to have, or that security principles state we ought to have. We need to address decades of legacy systems and organizational constraints, as well as the plain fact that nobody knows today how much effective security should cost a given enterprise; we don’t even know whether it’s affordable.

But we know we have to make changes, and we have to help critical industries that are trapped by their circumstances. Some ideas being floated around include a “cash for clunkers” program for healthcare; standing up more secure infrastructure to which SMBs could migrate, with help, is another one.

Educating non-IT vendors and manufacturers so that they start building in security will take a long time, and in the meantime, the number of truck rolls to fix legacy equipment is probably staggering. Re-aligning security incentives, both financial and legal, could affect the economy on the same scale as affordable healthcare. There is no “just” about it, but it’s time to do it.

In the meantime, there are some short-term measures that enterprises can take to address these and similar threats. One list is here; another is here; there are others in varying degrees of practicality. Good luck, and keep the hankies handy.