Not Patching is the Pathway to Sure Compromise

A surefire means to achieve a compromise of your systems is to operate equipment which has long ago hit its end-of-life (Windows XP boxes for example), or ignore the need to patch and update the software and firmware of those devices and apps which are quietly humming along within your ecosystem. Many have chosen to forego the level of effort needed to close vulnerabilities for any number of reasons, including the operational expense of taking off-line active production devices.

Those who delay are, unfortunately, betting on the inattentiveness of the cybercriminal, the unscrupulous competitor, and possibly a nation state or two.


Sadly yes, and more troubling is this appears to be a systemic problem across all industries, which has been well documented over the years. For example, in the 2015 Microsoft Security Intelligence Report, the authors revealed which identified (and remedied) exploit was most prevalent during the reporting period. The exploits, not surprisingly, were from years (not months) prior.

In the 2017 Verizon Data Breach Investigations Report (DBIR), evidence is presented which indicates the aforementioned phenomena across multiple sectors remains. Their study focused on two data points with respect to patching: time to patch, and not addressed. Not a single sector achieved 100 percent, with education and finance sectors lagging behind IT, manufacturing, and healthcare by a large margin, clearly indicative of a lack of understanding on the need to promptly close identified vulnerabilities.

If addressing all is impossible, at least tackle those which may inflict the greatest pain immediately and then remediate the remainder systematically, with all vulnerabilities clearly highlighted as open. The DBIR suggests, “You should ground your process (patching) around the exploitability of the findings you are addressing.”

Are entities still using Windows XP boxes? WannaCry? Yes, you probably do if you are one of those whose Windows XP box fell victim to the WannaCry exploit and subsequent ransomware. Did the WannaCry episode force those still using an operating system which had long ago reached its end of life to change to a more modern and secure operating system? Not appreciably. According to NetMarketShare, approximately 6.07 percent of all desktops are operating Windows XP – trust me, the cybercriminals will continue to seek out these machines for exploit.

Now, WannaCry did induce Microsoft to create a patch to close the vulnerability for those boxes running XP; they also admonished users to update their operating system because after September 2017 (this was last week), newly identified vulnerabilities will not be addressed.

How Bad Can it Be if the Available Patch Isn’t Put in Place?

The Equifax data breach was made possible because a basic update of a server’s operating system had not taken place, even though the patch was provided months prior.

Health care providers have seen themselves being compromised on a regular basis, as evidenced by the number of instances which HIPAA violations are investigated by the Department of Health and Human Services (HHS) for “lack of safeguards of protected health information.” Indeed, eight of the ten breaches over the past 24 months, with the highest number of individual patient data exposed, involved network servers.

What Can a Company Do?

Some excellent advice on change management is provided by on best practices:

“Research indicates that poor change management practices will have a negative impact on your uptime and business costs. Organizations that lack proper change management within their patch management process will:

  • Spend more time “putting out fires” versus being a strategic arm of the business
  • Spend more money on new critical IT initiatives to achieve business goals
  • Experience significant downtime due to poor patch management control
  • Waste more money on unplanned work

Change management is essential for every stage of the patch management process, from testing, configuration management, and installation. Your staff or tools should track and document changes to your infrastructure during the entire patch management lifecycle.”

What Can an Individual Do?

Make sure you keep backups of the data on your devices, and include at least one cold-storage backup. Make sure your devices and the applications on those devices are automatically updating when updates are issued. This narrows the delta between announcement of the availability of the patch and the vulnerability closed on your device.

Close those vulnerabilities as fast you possibly can, recognize which ones remain open and monitor, and reach out to others for assistance as and when needed. It is in our collective interest that every one of our entities remains safe and secure.

What if Patching Will Break Other Systems in Your Environment?

Patching one system will occasionally cause other systems in your environment to break, and each organization must carefully consider the risks of the options in front of them. Should you patch one system with a known vulnerability only to make one other area of your environment unstable?

It’s not an easy choice for anyone, but we do acknowledge that just the blanket statement that all organizations should patch, no matter what, is not realistic in the world we live in.

Open, transparent conversations need to happen within the organization and with trusted external advisors in order to make the best decision, i.e. to accept one risk over another, for your organization.

About Christopher Burgess

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).