Why is it difficult to patch old vulnerabilities?

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock)

Unpatched software creates an open invitation for hackers. In 2019, 60% of breaches could be blamed on unpatched software. Many of these attacks are not exploiting newly discovered vulnerabilities, but are targeting issues that are a decade old, or more. Whether an organization is large or small, maintaining a full view of its IT suite is far from straightforward. Software and hardware can be lost and forgotten—unpatched and ready to be attacked.

About the author

Matthew Gracey-McMinn is Head of Threat Research at Netacea.

The majority of malicious traffic that hits enterprise firewalls is part of random spray-and-pray style attacks. Attackers are lazily deploying all sorts of exploits against everything on the internet. For hackers the job is easy and automated, with the luxury of deploying a range of tools so that they can try everything that may work, including both modern and older exploits. For these unsophisticated hackers, it’s a numbers game; if you try enough times then sooner or later you may just get lucky—one success out of hundreds of thousands can mean enough profit to make it all worth it. The network access gained by the exploit can even be sold on to more sophisticated hackers who can use it to steal data, install ransomware and do some real damage.

Much of the advice available demands that businesses patch more regularly, but it’s not so simple. There are cases where security teams are unable to prioritize patching due to being overstretched, but the more common causes of an asset not being patched comes from organizational and administrative issues.

Under the radar

These are just some of the reasons why patches might slip under the radar:

The security team didn't know about the asset: Many attacks are the result of a device that was supposed to have been decommissioned or was not on an asset inventory—meaning it was on the internet without being fully patched and protected. You can't protect what you don't know exists.

In one case, a 7-year old vulnerability was used to compromise a server at a large global organization. This server had been decommissioned several years prior, but this hadn't been completed properly and the server’s access to the network remained hidden. The organization's security team was unaware that the server remained online and so it was left unprotected. The attacker who compromised the server sold access to another attacker, who was then able to use this as a foothold to gain access to the wider network.

The patch could break the software or device: This is a common excuse given for not patching a device. In many environments, bespoke business-critical software is not updated in line with OS upgrades—sometimes the companies producing this software have ceased supporting it due to their age and in some cases the companies no longer exist to provide support. Businesses are reluctant to switch out this software or make extensive changes to keep it in line with broader upgrading and patching requirements. If it ain’t broke, why fix it?

The application of patches in this case could interfere with business continuity, breaking software that is needed for business-critical tasks. Businesses will often choose to accept the risk of not patching, leaving these devices vulnerable to older exploits.

The security team lacks authority to patch a device: Internal divisions and politics can make the practical application of patching difficult for the security team. For instance, where an organization is part of a larger group or has a number of teams all disconnected and responsible for managing their own IT assets, it is often very difficult to ensure that patching is done correctly and in a timely fashion.

It's common to hear complaints about a lack of direct control over vulnerable devices and that the teams directly responsible for these devices have priorities other than patching. By leaving one weak spot, attackers can take advantage of this entry point and eventually compromise the rest of the network. One weak link is all it takes to break the chain.

Prioritizing vulnerability management

An organization could have the best cybersecurity tools in place, but still be open to attacks thanks to old devices or tools which exist out of sight. To solve this, dedicated vulnerability management teams are needed. Tools are not a complete security solution, as they cannot protect what is not visible.

To work, vulnerability management teams must:

  • Ensure that they have an accurate and up-to-date asset inventory, and a means of confirming that the commissioning and decommissioning of devices is accurately tracked and audited.
  • Require that suppliers keep critical software up-to-date. Where this is not possible, devices should be sectioned off from the rest of the network and secured behind other defenses so that attackers cannot easily reach them.
  • Make it known across the organization that vulnerability management is a priority for the organization and it has the remit and authority to patch all devices. Where these devices are not directly managed centrally, parties responsible for those devices should be required to patch them in a timely fashion at the behest of the vulnerability management staff.

The advice to patch everything and to patch it often is still recommended. But the key to making sure that opportunistic attacks do not work is to commit to vulnerability management—this is not a "nice to have" but a necessary protection. But the team needs to be set up for success. It has to be a priority for the business, with buy-in from across the organization, with an understanding that nothing is beyond its remit.

Matthew Gracey-McMinn is the Head of Threat Research at Netacea. He is an experienced Cyber Threat Intelligence professional with an MPhil from the University of Oxford.