Microsoft and the US National Institute of Standards and Technology (NIST) will create practical guidelines for installing patches in enterprise infrastructures. Microsoft and NIST will teach businesses how to install patches.
Experts intend to increase business literacy in information security issues and propose solutions to key issues that arise with updating of software.Back in 2017, the foundation of the new project was laid by Microsoft experts who were trying to find out the causes of the devastating epidemics of WannaCry, NotPetya and Bad Rabbit.
Microsoft officials, including Mark Simos, a leading security solutions architect, interviewed senior officials at several large organizations to understand why businesses are slow in updating software.“These cryptographers have infected tens of thousands of computers around the world, exploiting the Windows vulnerabilities that have been already patched by the company”, – say at Microsoft.
As it turned out, many clients of the company hardly understand the threat of information security vulnerabilities and neglect patches for the sake of short-term stability. They fear that installing a new version will cause infrastructure failures or make important corporate systems unavailable. Employees of IT services often do not know how to test patches, and are limited to studying online forums where they try to find out about possible problems.
Experts concluded that the industry needed a generally accepted standard with a prescribed software update procedure.
The Critical Cybersecurity Hygiene: Patching the Enterprise initiative (Critical Cybersecurity Aspect: Installing Patches in Enterprises) aims to expand the existing NIST package of recommendations, which was published based on early Microsoft research. Representatives of the institute intend to approach the problem from a practical side and provide specific recommendations to corporate IT services.
“Within the framework of the new project, proprietary and open tools will be considered that help to cope with the most serious difficulties when installing patches. This is the prioritization of IT systems, testing patches, tracking their application and verification. The recommendations on the use of these tools will be supplemented by guidance on building policies and processes throughout the life cycle of updates”, — say NIST experts.
The timing of the release of the planned document is still unknown. At the same time, commentators note that this is the first case of such a collaboration between NIST and a private corporation. According to them, the support of other stakeholders can significantly improve preparation of the document.
The ransomware epidemics mentioned above are far from the only cases when known vulnerabilities are used in large-scale attacks. Unpatched bugs help IoT botnet operators expand their possessions, and other cybercriminals constantly monitor the publication of bugs so that they can use them before installing patches in the field.
At the beginning of 2018, analysts calculated that, on average, a patch was released 12-13 days after the vulnerability was announced, and exploits appeared by the end of the first week. In some cases, three days are enough for attackers – that is how much time has passed since the patch for CVE-2017-5638 in Apache Struts was released. Later, the attackers used it to penetrate the network of the Equifax credit bureau. Despite the wide publicity of this incident, the vulnerability CVE-2017-5638 continues to be used in cyberattacks to this day.
Read also: Microsoft fixed a dangerous error in the RDP code
The exploit to the EternalBlue vulnerability that provoked WannaCry attacks in 2017 does not lose its relevance. In 2019, it was used in attacks on the city of Baltimore and in the construction of the new Smominru botnet.
As Microsoft experts emphasized in their publication, in today’s environment, keeping IT assets up-to-date is becoming part of corporate social responsibility. That is why everyone can join the work on a new initiative – from developers of software suitable for improving the efficiency of patching, to individuals and companies with useful experience in managing this process within the enterprise.