• Are your systems vulnerable to attack? Exploring best practices for IT

Are your systems vulnerable to attack? Software patching, IT risks and best practices

24 February 2020

Hackers are successfully exploiting a Citrix vulnerability, infecting businesses with ransomware and demanding tens of thousands of pounds for removal. Once a company is infected, there is very little that can be done about it. With nearly 500 Citrix servers in the UK still exposed to the critical security flaw, it underlines the need for an effective patch management plan. What measures does your business have in place?

Citrix first announced the vulnerability, known as CVE-2019-17981, on 17 December last year, recommending temporary measures to protect businesses. From 19 January 2020, it released a series of permanent software patches. However, as of 6 February 2020, 21% of exposed companies in the UK still hadn’t applied the necessary patches. Nigel Morris from BDO’s Technology Advisory Services (TAS) team explores what you need to know to ensure your business is protected from this and other serious security breaches.

So what is a software patch?

A software patch is a program update that is normally applied to temporarily or permanently fix a security vulnerability or other program malfunction.

Act fast or suffer the consequences

The speed at which these attacks can escalate means that businesses need to act fast. In the ongoing Citrix case, up to 80,000 systems were thought to be at risk worldwide. Once an attacker discovers the vulnerability, they have direct access to the local network within minutes and are then able to copy files and install malware. The attacker doesn’t even need access to any of your accounts or passwords so the attack can be performed by anyone armed with the right knowledge and an internet connection.

Types of vulnerability

There are many forms of vulnerability, and the way you approach each one should be in direct proportion to the magnitude of the threat. If patches aren’t implemented, the consequences can range from minor inconveniences to major business mission impactors. Yet applying software patches also has a downside. Frequent software updates can disrupt operations, causing another set of problems for your business. If you have a patch management plan in place you can understand the risks and prioritise essential maintenance. There are six types of vulnerability that regularly cause major issues; namely, directory traversal, unprotected APIs, buffer attacks, SQL injection, cross-site scripting and third-party libraries.

Directory traversal

The recent Citrix vulnerability is an example of a directory traversal. This allows unauthorised access to local directories or remote machines, where a URL or directory string is not validated and permissions have not been configured correctly.

Unprotected APIs

Probably the fastest growing exploit, APIs (Application Programming Interfaces) allow systems to interact across networks. Unfortunately, they are often poorly understood and badly configured with inadequate authentication, resulting in data loss or system malfunction.

Buffer Attacks

Applications use buffers to store data temporarily in memory. An intruder may overfill a buffer, or read or write data to unprotected areas, causing an application crash or other unexpected outcomes.  Buffer attacks are one of the most common forms of attack.

SQL Injection

SQL (Structured Query Language) is a scripting language used to view and modify data in a database. SQL scripts can be “injected” into input fields or URLs that lack validation, to retrieve or manipulate data. A developer can easily prevent SQL injection, yet it remains a common vulnerability.

Cross-Site Scripting

Cross-Site Scripting (XSS) uses an injection mechanism to embed code into a website to modify the way it works. Examples of XSS include creating fields that collect banking information from customers, and prompting visitors to download files that contain malware.

Third-party library vulnerabilities

When developing applications, programmers frequently utilise code created by third-parties, either purchased off-the-shelf or open source, to save time and money. Often they exercise little or no control over the contents of the library, leading to exposure to embedded vulnerabilities.

What to patch

Now you know the most common types of vulnerability, how do you know what patches need to be applied? For most common productivity and line of business applications, the supplier will identify or be informed of a vulnerability, and develop and distribute its own patch. Similarly, suppliers of technology devices will provide firmware patches. For less common applications, particularly those developed in-house, and for coverage of the wider software and hardware estate, you should consider running a Vulnerability Assessment System (VAS) on a regular (we recommend at least monthly) basis. A VAS can identify issues, analyse the causes, assess and quantify the risk, and suggest remedial actions.

How to patch

Patching applications and devices, particularly in large numbers, can be a complex and time consuming task. Fortunately, there are a plethora of tools available to manage the process of obtaining patches from suppliers, and the timing and method of their installation. Microsoft offers Windows Server Update Services (WSUS) for its products, but there are many similar tools available from third parties, either dedicated to patch management or integrated within a larger service management suite.

When to patch

Whilst your immediate reaction might be “as soon as possible”, you should consider all the implications of installing a patch. What is the risk of not installing? Equally, what might be the impact of installing? Ideally, you would test the impact of a patch by first applying it in a test environment, but sometimes the risk is too great to delay. Known vulnerabilities in publicly released software packages are logged in a public database, where they are assigned a CVE (Common Vulnerabilities and Exposures) reference and a CVSS (Common Vulnerability Scoring System) severity score. Suppliers translate this score into their own terminology to describe the criticality and priority of applying the patch, and their advice is best heeded! As the board member responsible for IT you are accountable for the security of your organisation’s systems, and you need to ensure you have a plan to manage patching that it is practical and effective.

The BDO difference

Here at BDO, we understand the challenges that the non-technical board member faces when they become responsible for IT. Our Technology Advisory Service (TAS) team has an extensive hands-on track record of delivering strategic, operational and technical IT advisory services. We’ve developed our services with the non-technical board director in mind and we provide management and support services to suit each client’s needs.

Please contact Nigel Morris to find out more about our practical independent advice and IT support services.

Discover Similar Articles