Defending the Enterprise Part 2: The Exploitation of Unpatched Systems

Monday, December 13th, 2021



Part two of this series will focus on the exploitation of unpatched systems and explore the processes your financial institution should have in place to keep bad actors at bay.

In part one of this series, I talked about defending the enterprise by strengthening the human firewall. In part two, I’ll focus on patching vulnerable systems.

Let’s take a look at some of the headlines from the last couple of years:

  • “Atlanta’s municipal government has been brought to its knees since Thursday morning by a ransomware attack.”
  • “Russian state hackers use ransomware to paralyze computers in Ukraine on the eve of the country’s independence day.”
  • “Hackers gained access to the information of 143 million Equifax customers, including their names, birth dates, drivers’ license numbers, Social Security numbers, and addresses.”

What do all these incidents have in common? Unpatched systems—which expose weaknesses that can be exploited by cybercriminals. If you still need convincing that unpatched systems pose a massive threat, consider these stats from a recent Ponemon Institute study that surveyed nearly 3,000 IT professionals worldwide on their patching practices.

  • 50% of organizations say they were hit with one or more data breaches in the past two years.
  • 34% say they knew their systems were vulnerable prior to the attack.

So, how can you avoid becoming the next Atlanta, Ukraine, or Equifax? Here’s my advice.

Scan your systems

Credit unions should have an ongoing process in place to scan all of their infrastructure, both internal and external systems, to determine where they are most vulnerable. There are several tools and services you can use for this:

  • Shodan IO is a search engine for Internet-connected devices that scans continuously for vulnerable systems and publishes what it finds. There are free and paid versions.
  • Nmap is a free and open-source utility for network discovery and security auditing.

Keep in mind that it’s not only good guys using these systems. Bad guys are too, finding vulnerabilities that they can exploit!

Analyze the data

Once your scans are complete, you’ll need to analyze the data to determine where you are most vulnerable and exposed—and then check Twitter to see if that particular vulnerability is being exploited in the wild. I follow a large number of security researchers on Twitter to keep up with current tactics, techniques, and procedures (TTPs).

Start patching

If you find vulnerabilities, you have to get the systems patched as soon as possible. In fact, the longer a credit union waits to patch a system, the more vulnerable it becomes. You should shoot for getting everything patched within 90 days. That can be hard, especially if you have a fairly large organization with lots of endpoints and servers.

You may have to cherry-pick and prioritize—and the first order of business is always going to be your public assets. From there, you can work your way inside to the critical systems in your internal infrastructure. In the cloud world, you may not have a lot of internal systems, but if a bad guy gets ahold of an endpoint that has access to a critical system in the cloud, you’re in trouble. So keeping the endpoints patched and up to date is incredibly important.

Follow your standards and frameworks

Everything I’ve said regarding human firewalls and patching systems is based on the Center for Internet Security (CIS) controls that provide prioritized cybersecurity best practices. You can join CIS for free and gain access to a number of high-quality documents that will help to harden your network and systems.

Using these resources as a starting point can save you a lot of headaches and hassles—and you’ll be in better shape if the bad guys strike.

Bob Thibodeaux

Bob Thibodeaux

Chief Information Security Officer

Bob has more than 25 years of experience as a senior security expert and highly accomplished IT executive and engineer. Through leadership positions managing IT departments and programs, technology operations and data center operations, Bob has driven innovative process improvements, disaster recovery programs, information security strategies, and audit and compliance improvements. He has been responsible for incident response, risk management and penetration testing for community-focused banks, credit unions and high-tech companies across the United States. Bob is a Certified Information Systems Security Professional, Digital Forensics Examiner and GIAC Penetration Tester. Bob holds a degree in Business and Management from the University of Maryland and is a retired USAF Senior Master Sergeant.