Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
“In general, patching does not work; you cannot patch a system that was badly designed in the first place. You may patch it until you are blue in the face, and every time you put in a patch, you introduce several new errors or flaws.” (Peter Neumann, 1996).”
[I]’ve been reading many articles about the Baltimore city compromise. Many fingers are being pointed at the NSA for having sat on the vulnerability without reporting it — that will require another article. I was relieved to hear an inquiry is being made into the security practices of the city. The tools that were alleged to be used in this case were well-known as a result of a data leak at the NSA. However, as a result of the leak, Microsoft released a patch to fix the vulnerability that is alleged to have been exploited within the Baltimore city’s systems in 2017. Does that sound familiar?
One of the reasons patching is so tricky is because networks are not usually designed with security from the beginning, so patching, and implementing security controls, can cause significant disruptions to organization processes.
Why isn’t it easy to figure out the processes used in organizations? Imagine having to understand the flow of information for your own organization compared to a city’s network which spans multiple buildings. It is hard, though not impossible, to understand information flows and then trying to figure out how to implement security controls to prevent disruption of services and, sometimes, recommending a change in how people do their work. Patching may not be possible in all situations based on the complexities and age of the system it is running on and the sensitivity of the system that depends on the computers. Systems that monitor or maintain medical patients in critical condition, emergency medical services, or radio communications, and weather satellites may have to be exempt from patching until thorough testing has been performed. Those types of computer systems are highly sensitive, and life and property could be at stake as a result of any downtime.
Yes, I mentioned weather satellites. Have you ever checked to see how many planes are in the sky at any given time? Imagine that weather satellites became unavailable. How would they receive severe weather alerts or radio communications prevent warnings about severe weather in their path? All information has value, so any computer system that creates, stores, or transmits it must be protected.
What organizations can do is implement compensating controls for systems that can’t be upgraded or upgraded within a reasonable amount of time. The compensating controls will help mitigate threats to those systems. Physical security controls such as limited access to those computers, cameras, locks, multi-factor authentication to enter a facility, or security guards monitoring access.
Patching computer systems in organizations has to be carefully planned. Service disruptions can be exacerbated by not having a backup plan if something breaks during the update process. Each organization has its own level of uptime and downtime tolerance. Those must be determined and appropriate financial and people resources put into place to mitigate a security incident before it occurs.
The other factor involved is that some organizations believe their unpatched systems that are not connected to the internet are safe. Once an adversary gets inside a network, they have access to the same systems the compromised system has access to, as well. Compensating controls can help mitigate access on the local network. A firewall can be put in front of the unpatched system with restricted access to and from the computer (or enable the native host-based firewall) or application whitelisting enabled to restrict what can execute on the host or limit the number of people that have physical or remote access to those systems.
When patching cannot be performed, use compensating controls to help mitigate security threats. It is cheaper to restructure the network and create a secure one versus waiting until a breach to occur. The Baltimore breach estimates have already reached over $18 million.
