Yesterday’s update from Equifax on the Apache Struts vulnerability that left 143 million of their US customers open to attack, offers a chilling reminder to organisations of all sizes of the consequences of patch management process failure.
The most staggering aspect of this case is that the vulnerability had not only been in the public domain since early March, but that following a number of successful web server attacks, a security patch had been released on March 6th.
As yet, Equifax haven’t offered any specific details on how the security failure occurred, but a Baird Equity report published September 9th rightly raises concerns that for over two months, Equifax failed to implement a high-profile critical vulnerability fix.
Whilst many smaller organisations will wonder how a company with the technology resources that Equifax has at its disposal could suffer a breach of this magnitude, the barriers to good patch management practice that can easily affect smaller organisations could also have been at play in this case.
Even though system security is a business-critical factor in operational risk, organisations can struggle to create and maintain appropriate patching frameworks without clear security and change management leadership, and a culture that puts system health at the forefront of operational priorities.
Key challenges faced by organisations are easily recognisable:
- Technology operations are overseen by someone several steps removed from the in-house teams responsible for implementing security
- In-house expertise simply doesn’t cover some of the more niche areas of the application environment and understanding of patching requirements is lacking
- Contracted engineers are working with limited accountability, engagement or responsibility
- Successful patch evaluation and implementation can require a significant amount of expertise and time from engineers with already demanding workloads
- System complexity can lead to extensive patch evaluation, prioritisation and implementation challenges
- The risk of patches adversely affecting third-party proprietary system components can sometimes be difficult to assess with confidence
- Patching can affect numerous dependent system components, increasing risk and implementation complexity
- Legacy architecture is used that is now inherently difficult to maintain
- Patching can present co-ordination challenges for organisations with dependent systems or services across several sites or teams
- The organisation’s security framework simply isn’t robust enough to meet the needs of the business operations, or lacks leadership
As providers of managed services and support for application environments, we understand how difficult it can be for organisations of any size to overcome these challenges, and is precisely why security patch management is such a critical part of our managed service offering.
With expertise across the Java middleware landscape, our engineers specialise in application environments of varying architectural complexity, and specialise in both unsupported community and enterprise open source technologies.
Whether working with Oracle customers faced with implementing SOA Suite bundle patches, Tomcat users needing bespoke security patch development, or JBoss customers trying to negotiate cumulative patching cycles, our in-depth understanding of customer environments and operation needs is at the heart of a responsive and expert patch management service.
It may be that smaller organisations don’t present as big a trophy as Equifax to malicious attackers, but regardless of size, exposure remains the same - and so too does the need for risk management. After the Apache Struts vulnerability exposed security failures in so many organisations, perhaps now is the time to audit your environment and put a patching strategy in place that keeps you and your customers out of the news!