Security Negligence: Failure to Patch

By now, most of the world has heard of the monstrous security breach that occurred at Equifax. Its CEO recently took ‘early retirement’ which is no surprise since the debacle exposed millions of consumer’s personal data. If the incident never happened, he would probably still have his corner office. In the last few weeks, large breaches have been uncovered at Deloitte and the SEC, and malware was inserted into CC Cleaner Software aimed at large tech giants such as Cisco and Intel. This is in addition to the numerous DDoS attacks that are reported daily.

Many of these episodes could have been stopped. We know this because organizations, including Equifax, frequently note that they should have patched up the weak spot… but didn’t. To sum it up, businesses admit to suffering from security negligence.

Many of the recent cyberattacks involve data exfiltration – when hackers siphon out valuable intelligence from a business. Oftentimes the most insidious path is to go through the Domain Name System (DNS) – the way that Internet domain names are located and translated into IP addresses and vice versa. Cybercriminals manipulate the DNS protocol to act as a ‘file transfer’ protocol and by default is seen as legitimate. Most businesses don’t even know it is happening until it is too late. It’s like a leaky faucet – drops of confidential data coming out slowly and unnoticeably until there is enough to fill an entire bucket.

Recently, a global DNS threat report revealed that 76 percent of organizations (80% of businesses in the U.S.) have been subjected to a DNS attack in last 12 months with 28 percent suffering data theft. DNS attacks ranged from malware (36%) to DDoS attacks (30%) and DNS tunneling (20%). One fifth (19%) stated that in the last year they experienced five attacks or more, with most enduring between 11 and 15 separate attacks. The study also revealed that a large organization spends on average over $2 million per year fixing the damage caused by these attacks. The most shocking revelation was that almost ALL U.S. organizations (98%) did not apply the necessary security patches and only 86 percent applied half of the required patches on their DNS servers. There you have it: Security Negligence. Businesses are opening themselves up to risk each time they skip an update.

Every IT vendor releases patches – a lot of patches. Some are more critical to a business than others. Companies need to prioritize updates especially those that can protect a company’s intellectual and digital property. Organizations need to stop putting their primary efforts into maintaining systems that continue to fail against attacks – such as firewalls and virus scanning. An educational initiative about patching and the repercussions of certain failures must be embraced to shift the current mindset.

IT departments also need to change the way they secure the infrastructure, especially the DNS. Case in point, research points to the fact that IT departments that experienced a DNS attack took almost a full day to mitigate it – taking the affected part of the business offline for 6 hours or more. Isn’t that accomplishing exactly what a hacker set out to achieve? Organizations must amend their playbook and learn to play a stronger offense in this game of cybersecurity. Otherwise they can add their brand to the long list of names that have been hacked.