In 2017, WannaCry Ransomware spread to 100 countries over a weekend. Don't expect patching to stop the business model of digital blackmail. Be prepared! There is no lack of knowledge among security departments when it comes to securing infrastructures. New technologies bring great advantages but also risks. Some experienced attackers may use zero-day attacks that exploit previously unknown vulnerabilities for which the software vendor has not yet released a patch.
The race begins ...
Without proper knowledge or control of the software used in a company, defenders cannot properly protect their assets. When new vulnerabilities are announced, a race begins. The time between the announcement of a vulnerability, the availability of a vendor patch, and the actual installation on each computer is short.
Patch management is important as part of a holistic, multi-layered security approach. However, the more patches are released, the greater the effort, and the more resources cannot keep pace. Patch Management closes security gaps in the operating system and thus possible entry gates. However, this can only prevent attacks that have previously exploited the closed vulnerability. This does not prevent the execution of malware or ransomware.
Almost 90% of all security breaches are due to known vulnerabilities. Therefore patching often does not lead to the desired goal. For example, Microsoft alone publishes over 300 patches per year, only a fraction of which are needed at all. Together with third-party vendors such as Adobe, Oracle and others, the number of patches can grow to a considerable size that is no longer manageable.
Attackers are aware of this problem and can attack unprotected systems at any time, e.g. by phishing. Attacks can take advantage of new hardware that is installed on the network but not configured and patched with appropriate security updates. Even devices that are not visible from the Internet can be used by attackers who have already gained internal access and are hunting for internal pivot points or victims.
Unlike IT systems that IT teams replace or upgrade every three to five years, Industrial Control Systems (ICSs) often have a even longer shelf life in OT production environments. It’s not uncommon for an OT system to remain in production for 10 years or longer. This creates several challenges for security pros because: Legacy ICS patching is made more difficult by complexity and availability requirements.
In an environment optimized for uptime, patching systems can create operational disruptions, which means it doesn’t always receive highest priority. For organizations that must respond to a cyberattack, patching and remediating systems is not something that security pros can do in real time, which only further increases the operational disruptions.
Applying patches to ICS components presents a challenge to system administrators, because system updates and patches can interfere with the ICS function. A patch to an ICS component could change the way it works, resulting in component failure or loss of functionality.
Possibly even legal regulations prevent the implementation of security updates, because otherwise the systems would have to be recertified.
Why patch management is not sufficient:
Old OS versions are no longer provided with updates which makes Patch Management ineffective
Cannot prevent malware or ransomware from being executed
Attacks via USB/removable media cannot be prevented
BadUSB attacks cannot be prevented either
On a fully patched system, an encryption trojan can still be used
Offline systems can not be patched at all or only with great administrative effort
Patch management requires a high administrative effort: probe, test, distribute, validate patches
In the production environment, the time window is limited to distribute patches promptly
Most patch installations require reboots and affect the production of end users and machines
Regulations prevent the implementation of security updates
Many serious vulnerabilities are not caused by coding but configuration problems
Enforcing secure system configuration and preventing zero-day attacks are even more important because of the above issues. DriveLock offers a defense-in-depth strategy with holistic multilayer protection. The goal is to protect data against attackers from the outside and the inside whilst protecting vulnerabilities from being exploited.
Application Control securely protects against all known and unknown threats such as Zero-Day-Exploits, WannaCry, Ransomware or Bad USB in a future-proof manner. With Application Control you decide, which applications are allowed. There is no impact on the performance of the system: even during full Whitelist-mode, the effort of implementation is far less than with comparable solutions.
DriveLock Device Control controls all removable media and devices. Systems with a defined and certified state, which may not simply be changed or patched, can be initially sealed and permanently protected with DriveLock Application Control