If there’s one thing an organisation should do to protect its network from cyber attacks, it’s turn on automatic updates for security patches so cyber criminals and other malicious hackers can’t exploit vulnerabilities which have already been fixed.
The advice comes from the UK’s National Cyber Security Centre – the cyber arm of GCHQ – which recommends applying security patches as soon as they’re available as one of the simplest things an organisation can do to prevent intruders entering their networks.
“Patching is now so much easier and so much less risky than it was when we first started doing this stuff. If there’s one thing that anyone out there wants to take away, turn on automatic updates, please – even if you’re an enterprise, turn on automatic updates,” said Dr Ian Levy, technical director of the NCSC, speaking at the cybersecurity agency’s CYBERUK 2021 virtual event.
“The sort of things we’ve seen over the last six to nine months like the big vulnerabilities and the big incidents, a lot of them come down to people not patching properly. And I know it’s really boring but it is really important”.
Levy detailed how the NCSC contacted organisations after the recent vulnerabilities in Microsoft Exchange Server came to light to encourage them to patch their systems – yet some of these still took weeks to apply the updates, all the while potentially leaving themselves open to cyber criminals and other hostile hacking groups actively looking to exploit the flaws
SEE: Network security policy (TechRepublic Premium)
“People were taking weeks and weeks to patch, even though there was all the noise in the news, even though we were individually contacting them to say ‘hey, you’ve got a vulnerable Exchange server, please patch’,” he explained.
When vulnerabilities are made public, cyber attackers will actively look for networks which have yet to apply the patches. But information security teams can beat criminal hackers to the punch by examining their own networks for potential vulnerabilities, such as unsecured internet facing Remote Desktop Protocol (RDP) ports.
“Think about how people select victims – look across your external facing stuff and you can see exactly what they can see,” Levy said. “As soon as RDP pops up, run back home and turn it off because it shouldn’t be connected to the internet any more”.
But Levy also warned that some organisations don’t help themselves at all when it comes to applying security updates, noting that the NCSC is aware of over 1,000 endpoints in the UK which are still vulnerable to BlueKeep, a critical vulnerability in Microsoft’s RDP implementation which allows attackers to remotely execute malicious code on machines.
It was detailed and patched two years ago but the organiations which haven’t applied the update are still at risk of a vulnerability popular with cyber threat groups.
“That’s not okay, that’s not been patched; we know that’s one of the favourite ways of various threat groups to get in – external facing unpatched vulnerabilities, you kind of deserve what you get if you’re on that space these days!,” said Levy.
However, there the vast majority of organisations are taking advice on board and learning from major incidents like the SolarWinds supply chain hack or the Microsoft Exchange server attacks – and one of the key things organisations need to do to secure their infrastructure from cyber threats is to provide their information security teams with the resources needed to do things like apply the patches.
“This can be done, there are organisations, companies, sectors that do this effectively. This isn’t a technical problem any more, it’s an investment problem, it’s a skills problem it’s making sure you use the right capabilities in the right way and make the right investment choices,” said Paul Chichester, director of operations at the NCSC.
“This is not something that’s impossible to fix. Even the highest-end nation state, you can defend against those capabilities and the technology and capabilities is out there,” he added.
The NCSC also hopes that the publicity around these high-profile cyber events is reaching the boardroom and that directors are taking notice and asking questions about how they can ensure they’re not the next organisation in the news for being breached.
“My sense is the benefit of having SolarWinds as a shorthand for a much wider set of activity is there is a bit more conversation in the boardroom, there’s been a lot of coverage on this incident,” said Lindy Cameron, CEO of the NCSC.
“My hope is CEOs are asking questions of their CISO and actually demanding to know there’s a system in place to make sure they can patch on a regular basis,” she added.
MORE ON CYBERSECURITY