It’s hard to believe that in today’s day that security professionals are still fighting to get buy in on something as important as patching. This process is one of the most effective tools to securing our environments, and while it can be painful at times, it had become more and more critical to ensure these processes are working. And even with all the evidence to the contrary, there is still reluctance by some to spend the money to achieve patching efficiency.
In order to combat this, I think we need to look at a very real world scenario. Let’s take the EternalBlue Vulnerability. Patched by Microsoft on March 14, 2017 with a series of patches for all Microsoft Operating Systems. Microsoft deemed this so important, they even released patches for OS version that were considered end-of-life and not eligible for patches. Just two months after the patch was released, and one month after the exploit was leaked by the Shadow Brokers group, the WannaCry ransomware used this vulnerability to great effect. On May 12 2017, the National Health Service in the UK was attacked and up to 70,000 devices were affected. In total it is estimated 200,000 devices were compromised in 150 countries. Considered one of the worst vulnerabilities to have been discovered at that time. So why do I bring this up? The CVE number for this vulnerability is CVE-2017-0144 and as of this writing is 5 years old. Surely no one still has a vulnerable version of this OS still around? And even if they do how bad can it really be?
I’ll tell you. Bad. People that don’t take patching seriously, can easily have a vulnerability like this still in their environment. And it could lead to the entire network being owned. Don’t believe me? Watch this short video, and then let me know if you still feel like it doesn’t matter if you don’t patch. An example of an attack that security professionals are still able to carry out on many networks.
In closing, Security Professionals are not just paranoid and obsessive. We really do care about security and keeping people safe. We don’t keep talking about this to make ourselves feel better, but because we want you to believe just as much as we do. If you need help with patching, or vulnerability management, just let us know, and we can assist.