Poor cyber security practices around downloading and patching software are exposing thousands of organisations to cyber attacks, according to security firm Sonatype.
In the year since the breach of 148 million Equifax records belonging to US consumers and 694,000 UK consumers, up to 10,800 organisations – including tech firms, car manufacturers, financials services, and insurance firms – have introduced to same security vulnerabilities into their networks, the company’s code tracking data shows.
The affected organisations include 57% of the Fortune Global 100 companies that have downloaded vulnerable versions of Apache Struts open source software package, despite the availability of six patched versions, Sonatype told Fortune.
Apache Struts is an open-source model-view controller (MVC) framework for building Java web applications, and is well used across the financial services sector.
The vulnerability exploited to breach Equifax causes it to mishandle file upload, which enables malicious actors to execute arbitrary commands via a command string in a crafted content-type HTTP header.
According to Sonatype’s data, since Equifax’s breach disclosure on 7 September 2017, only about one in five businesses stopped downloading affected versions of Apache Struts after the breach was made public.
This means as many as 3,049 organisations downloaded vulnerable versions of the software, despite the Equifax breach and despite patched versions being available. “Downloading vulnerable versions of Struts is a symptom of a broader hygiene issue,” Wayne Jackson, Sonatype’s CEO told Fortune. “The problem is that these organisations don’t care enough to exert control, or don’t have infrastructure in place to know what’s being used.”
At the same time, organisations that were using vulnerable versions of Apache Struts after the breach was revealed and patches released, are failing to update to the latest versions of the software.
Equifax came under fire for its poor patching practices that allowed the firm to be breached a full two months after a security update for Apache Struts was available.
Keeping software patched up to date continues to be a challenge for most organisations because software updates are rarely simple to do because of the complex interdependencies that exist.
As RBS CISO Chris Ulliott pointed out at CrestCon 2018 in London, what appears to be a simple operating system upgrade for a single server can turn out to be rather complex.
For example, he said, if the server is running middleware that is not compatible with the new versions of the operating system, the middleware needs to be upgraded. “But then you discover there are thousands of applications that use that middleware, that need to be updated, amended or recoded as necessary, which turns a simple upgrade into a mammoth task,” said Ulliott.
While updating to the latest version of Apache Struts is essential, for many organisations it is a daunting task, which is in part responsible for many being slow to update or failing to do it at all. However, security experts advise that organisations should be focusing on how to remove vulnerable software as quickly as possible from their IT environments.
According to Ray DeMeo, COO and co-founder or security firm Virsec, patching is much more difficult, time-consuming and problematic that most people want to admit, even in the best-run organisations. “Most software updates don’t just fix bugs – they also introduce new or changed capabilities that always risk unexpected consequences,” he said.
DeMeo said that in addition, many older applications are limited to older platforms that are un-patchable or no longer supported. “We need to move beyond this mindset that patching is a security panacea, and look for ways to protect any application as is,” he said.
Mounir Hahad, head of Juniper Threat Labs at Juniper Networks said poor cyber practices simply make cyber breaches a whole lot easier for threat actors.
“There’s no need for a high-value zero-day vulnerability to breach a network, one only needs to read the NIST [US National Institute of Standards and Technology] database of reported vulnerabilities.
“Eight days into May 2018 and there are already 156 vulnerabilities reported. Most of them will have patches available, but the vast majority of vulnerable systems will remain unpatched long enough for a cyber attacker to take advantage of the window of opportunity.
“Cyber threat actors understand this behavior and have developed processes for integrating exploit code as quickly as proofs of concepts are posted on Pastebin.com. Sometimes they don’t wait for a PoC [proof of concept] and develop their own working attack within hours or days of a vulnerability being disclosed.
“It is criminal in my opinion to knowingly postpone a security update beyond a reasonable amount of time and suffer a breach as a consequence,” he said.
The WannaCry attacks in May 2017 took advantaged of Windows operating systems that were not patched against EternalBlue, an exploit of the server message block (SMB) protocol. “EternalBlue does not have to be eternal, we have the power to turn it into LegacyBlue by patching our systems,” said Hahad.