Computer security only happens when software is kept up to date. That should be a basic tenet for business users and IT departments.
Apparently, it isn’t. At least for some Linux users who ignore installing patches, critical or otherwise.
A recent survey sponsored by TuxCare, a vendor-neutral enterprise support system for commercial Linux, shows companies fail to protect themselves against cyberattacks even when patches exist.
Results reveal that some 55 percent of respondents had a cybersecurity incident because an available patch was not applied. In fact, once a critical or high priority vulnerability was found, 56 percent took five weeks to one year on average to patch the vulnerability.
The goal of the study was to understand how organizations are managing security and stability in the Linux suite of products. Sponsored by TuxCare, the Ponemon Institute in March surveyed 564 IT staffers and security practitioners in 16 different industries in the United States.
Data from respondents shows that companies take too long to patch security vulnerabilities, even when solutions already exist. Regardless of their inaction, many of the respondents noted that they felt a heavy burden from a wide range of cyberattacks.
This is a fixable issue, noted Igor Seletskiy, CEO and founder of TuxCare. It is not because the solution does not exist. Rather, it is because it is difficult for businesses to prioritize future problems.
“The people building the exploit kits have gotten really, really good. It used to be 30 days was best practice [for patching], and that is still an ideal best practice for a lot of regulations,” TuxCare President Jim Jackson, told LinuxInsider.
Main Takeaways
The survey results expose the misconception that the Linux operating system is not rigorous and foolproof without intervention. So unaware users often don’t even activate a firewall. Consequently, many of the pathways for intrusion result from vulnerabilities that can be fixed.
“Patching is one of the most important steps an organization can take to protect themselves from ransomware and other cyberattacks,” noted Larry Ponemon, chairman and founder of Ponemon Institute.
Patching vulnerabilities is not just limited to the kernel. It needs to extend to other systems like libraries, virtualization, and database back ends, he added.
In November 2020, TuxCare launched the company’s first extended lifecycle support service for CentOS 6.0. It was wildly successful right off the bat, recalled Jackson. But what continues to trouble him is new clients coming for extended lifecycle support who had not done any patching.
“I always ask the same question. What have you been doing for the last year and a half? Nothing? You haven’t patched for a year. Do you realize how many vulnerabilities have piled up in that time?” he quipped.
Labor-Intensive Process
Ponemon’s research with TuxCare uncovered the issues organizations have with achieving the timely patching of vulnerabilities. That was despite spending an average of $3.5 million annually over 1,000 hours weekly monitoring systems for threats and vulnerabilities, patching, documenting, and reporting the results, according to Ponemon.
“To address this problem, CIOs and IT security leaders need to work with other members of the executive team and board members to ensure security teams have the resources and expertise to detect vulnerabilities, prevent threats, and patch vulnerabilities in a timely manner,” he said.
The report found that respondents’ companies that did patch spent considerable time in that process:
- The most time spent each week patching applications and systems was 340 hours.
- Monitoring systems for threats and vulnerabilities took 280 hours each week.
- Documenting and/or reporting on the patch management process took 115 hours each week.
For context, these figures relate to an IT team of 30 people and a workforce of 12,000, on average, across respondents.
Boundless Excuses Persist
Jackson recalled numerous conversations with prospects who repeat the same sordid tale. They mention investing in vulnerability scanning. They look at the vulnerability report the scanning produced. Then they complain about not having enough resources to actually assign somebody to fix the things that show up on the scan reports.
“That’s crazy!” he said.
Another challenge companies experience is the ever-present whack-a-mole syndrome. The problem gets so big that organizations and their senior managers just do not get beyond being overwhelmed.
Jackson likened the situation to trying to secure their homes. A lot of adversaries lurk and are potential break-in threats. We know they are coming to look for the things you have in your house.
So people invest in an elaborate fence around their property and monitor cameras to try to keep an eye on every angle, every possible attack vector, around the house.
“Then they leave a couple of windows open and the back door. That is kind of akin to leaving vulnerabilities unpatched. If you patch it, it is no longer exploitable,” he said.
So first get back to the basics, he recommended. Make sure you do that before you spend on other things.
Automation Makes Patching Painless
The patching problem remains serious, according to Jackson. Perhaps the only thing that is improving is the ability to apply automation to manage much of that process.
“Any known vulnerability we have needs to be mitigated within two weeks. That has driven people to automation for live patching and more things so you can meet tens of thousands of workloads. You can’t start everything every two weeks. So you need technologies to get you through that and automate it,” he explained as a workable solution.
Jackson said he finds the situation getting better. He sees more people and organizations becoming aware of automation tools.
For example, automation can apply patches to open SSL and G and C libraries, while services are using them without having to bounce the services. Now database live patching is available in beta that allows TuxCare to apply security patches to Maria, MySQL, Mongo, and other kinds of databases while they’re running.
“So you do not have to restart the database server or any of the clients they use. Continuing to drive awareness definitely helps. It seems like more people are becoming aware and realizing they need that kind of a solution,” said Jackson.