While zero-day exploits often dominate headlines, N-day exploits, which involve the use of long-standing and known vulnerabilities, may pose a significantly greater security risk to organisations.
N-day vulnerabilities offer virtually free-for-all access to bad actors because they are known and listed on the Common Vulnerabilities and Exposures (CVE) database, says William Petherbridge, systems engineering manager for Southern Africa at Fortinet.
According to Petherbridge, there are thousands of vulnerabilities across legacy systems, forgotten systems and devices, and even modern systems which are still in use, but people have neglected to patch them.
“There are hundreds of patches that never get loaded. This might be due to a bad patch management programme, or simply due to IT fatigue. The problem is, for organisations that fail to act, tools are readily available online to enable even ‘script kiddies’ to launch attacks targeting these common N-day vulnerabilities.”
William Petherbridge, systems engineering manager for Southern Africa at Fortinet.
The problem with patch management
Petherbridge suggests that organisations often delay or overlook patching schedules for several reasons: the sheer volume of patches, limited resources, and notably, the potential for disruption. Patching may require system restarts, application slowdowns, or unforeseen issues. If not performed correctly, it could even lead to data loss or corruption.
“This is an ongoing problem across technologies and vendors. Enterprises may delay patching because in a network with thousands of end devices and users, just deploying something without testing it and understanding the possible implications may be problematic,” Petherbridge says. “The sentiment can be ‘don’t touch things that are working’. In OT (Operational Technology) networks, for example, safety and uptime are top priorities, and they can’t afford any risks or disruptions.”
Particularly in manufacturing OT environments, there are some systems in use which are long out of support. The problem with these environments is that OT networks were once relatively safe because they were air-gapped. Now however, OT-IT convergence means that they are now exposed to the enterprise networks – which puts both at risk.
What organisations can do
Prioritising patch management is essential for helping enterprises to mitigate the most significant risks. “It all comes down to balancing the risks. They have to consider whether the patches are for products they don’t use or where their exposure is low, what other protection measures are available, and the vulnerability’s Common Vulnerability Score (CVS). This helps them to decide if they can wait for scheduled patching or if they should do emergency patching,” says Petherbridge.
The best defence is good security hygiene, including remediation guidance and timely patching, he says. “In a perfect scenario, it is best to do it right away, but in reality, it depends on the risk assessment. Organisations need to consider how likely it is that they could be exploited imminently and the impact of a compromise, compared to the impact of implementing the patch.”
With increasing BYOD and remote environments where end-users have their own laptops, tablets and cellphones, patching can be especially challenging.
“Devices issued by organisations have mobile device management systems to control patches on end-user devices. They can also use Zero Trust network access (ZTNA) to control what type of data and access users get, and to prevent malware from spreading laterally in the network,” he says.
Solutions such as the Fortinet Universal ZTNA offer secure and easy access to applications for users working remotely. Additionally, it’s worthwhile for organisations to consider implementing an overarching, integrated cybersecurity platform that includes solutions for tracking assets and vulnerabilities, as well as segmenting and securing the environment.