The Patching

PDF

In continued recognition of cybersecurity awareness month, Maynard’s Cybersecurity & Privacy Team brings you this week’s installment of terrifying tales of cyber scares.

Jack Torrance recently accepted a job as IT Director for the Overlook Hotel. Famously haunted, the Overlook is a very popular hotel that sees tens of thousands of visitors each year. Despite its antiquated exterior, Jack’s priority was to achieve excellent customer service through the latest and greatest apps to help manage the customer experience, from making spa appointments to ordering room service and airport shuttles.

Unbeknownst to Jack, however, the Overlook had been running an older version of one application known as the Shining, which handles all of the Overlook’s credit card payment processing. The Shining’s older version had a well-known vulnerability that allowed threat actors to easily take control of a company’s internal systems. The Shining made several efforts to publicize the newer version and to encourage its customers to upgrade Shining software, but Jack was too busy with the other applications to notice.

Unfortunately, thirteen months passed before Jack learned that the Shining application desperately needed to be updated – when an IT security blog informed the world that threat actors had posted Overlook Hotel customer information on the dark web, some of which was over 10 years old. Evil threat actors had infiltrated Overlook’s systems, installed malware, and exfiltrated guests’ personal information, including credit card numbers. Jack spent months dealing with the fallout from the security breach, which slowly drove him mad until he could do nothing but type and send endless emails saying “All Installing and no Patching makes Jack a dull IT Director.”

Don’t let unpatched applications drive you to madness like Jack. Here are some ways to mitigate the risk of unpatched software:

• Establish a formal patch management policy that includes patch testing, patching schedules by criticality, auditing, and requirements for maintaining and segregating unpatched systems.
• Subscribe to threat intelligence services/feeds to stay up to date with the latest patches and news of any zero-day exploits.
• Conduct routine internal and external vulnerability scanning.
• Ensure roles and responsibilities for patch management are clearly defined within your organization.
• Develop a backup protocol in case patching causes unwanted effects or breakdowns.
• Purge sensitive data you no longer need.

If you have any questions about how to improve your organization's cyber resiliency, contact a member of Maynard’s Cybersecurity & Privacy Team.