The First Rule of Cybersecurity Is Update Your Software
By Steve Rosenbush – The Wall Street Journal
There’s no easy way to make IT infrastructure fully secure from cyberattacks. But there’s an easy way to avoid a good many of the biggest threats that companies face. They can make sure that they patch and update their software, keeping it up to date, WSJ Pro Cybersecurity’s Adam Janofsky explains in a story for Journal Reports. “Several companies have suffered more than $100 million in lost revenue over the past year due to a common and frequently overlooked cybersecurity issue: outdated software,” he writes.
Behold, the unpatched. Last May, WannaCry ransomware hit health-care organizations across England. Hospitals had to find manual workarounds for a variety of tasks. The attack spread by exploiting a known vulnerability for which Microsoft Corp. had issued a patch months earlier. Weeks later, consumer-goods company Reckitt Benckiser Group PLC, pharmaceutical firm Merck & Co. and shipping giant A.P. Moller-Maersk A/S reported losses totaling about $130 million, $135 million and $300 million, respectively, after the NotPetya ransomware made servers and computers unusable. That attack spread using the same vulnerability.
Patching is difficult, but not impossible. Defense contractor Raytheon Co. has five people who manage rollouts of patches and monitor whether customers are updating systems, says CISO Jeff Brown. When the team learns of a new patch, they assign a priority level to it—low, medium, high or critical. Some systems may be patched within hours. The goal is for about 95% of the devices to be patched within a few days. The remaining 5% usually consists of people on vacation, and servers that can’t run the patch because they have a unique configuration or have applications that won’t work if the patch is installed. “You’re never going to get to 100% patched—it’s a worthy goal, but it’s never going to happen,” Mr. Brown says.
As it turns out, there’s an even easier… and CHEAPER… solution: Virtual Patching with Waratek.
Each security patch issued by Oracle, Microsoft, IBM, Apache or any software developer starts a relay race. One team is the malicious hackers who exploit new flaws to steal valuable data or take control of an important process. The other runners are application security and development teams who need weeks, months, or years – if ever – to fully patch known software flaws across an enterprise. Losing the race is not an option.
Waratek Patch is a lightweight runtime plugin agent for Java and .NET-based applications. Using “virtual” patches, teams can instantly protect applications from known flaws – including long-term unpatched vulnerabilities – without any code changes or taking an application out of production.
Virtual patches function just like a physical binary, but dramatically reduce the time to patch and the risk of being breached while waiting to apply a critical update. A virtual patch can be applied within hours of the release of a routine or emergency patch without the risk of breaking an application.
To read the full description, view the PDF HERE
For more information, visit us HERE