How frequently do enterprises patch their systems?
The security attacks across enterprises today are only successful, partly because of the number of unpatched systems. Patches can be viewed as “fixes” (updates) are being installed to make computers secure. Usually patches correct all kinds of weaknesses (vulnerabilities) such as software bugs, software stability issues, outdated versioning, performance issues, etc. Patching is considered the most important preventative measure to keep machines up-to-date and stable ensuring their non-interactive operation and enterprises’ business continuity. Patching protect enterprises from threats like dangerous malware (pieces of software installed without permission which (i) damage devices (ii) steal data e.g. Viruses, Trojans, (iii) ask for ransom, etc.) or Potentially Unwanted Programs (PUP) (that trick into installing them, e.g. browser toolbars that track web browsing).
We all recall the 2017 ransomware WannaCry that had attacked (by encrypting the files making them inaccessible) more than 200,000 computers across 150 countries, with total damages in the range of billions of euros for the victimised enterprises. At the time of the attack, the patch for WannaCry was known but several enterprises had not applied it.
The question today remains if enterprises patch their systems since they continue being victims of attacks.
Platon Kotzias, Leyla Bilge, Pierre-Antoine Vervier and Juan Caballero in their paper “Mind Your Own Business: A Longitudinal Study of Threats and Vulnerabilities in Enterprises” report their findings from the largest and longest enterprise security study up to date collecting data for three years from 28K enterprises, belonging to 67 industries from critical sectors (e.g. finance, health, pharmacy, manufacturing, insurance, energy, electronics, food, IT, Capital Markets, Retail) in 137 countries. They identify the threats and vulnerabilities that the enterprises face and they also analyse their patching behaviour. They base their analysis on a variety of data that they have collected, such as file reputation logs, file appearance logs, AV labels, the National Vulnerability Database (NVD), Internet-wide IPv4 scans, blacklists, and enterprise-to-IP mapping.
The main overall findings of their work are:
- At least 91% of the enterprises, encountered at least one malware or a potentially unwanted program (PUP).
It was found that 91%–97% of the enterprises and 13%–41% of the enterprise hosts encountered at least one malware or PUP file. Their analysis also revealed that patching applications on time has a significant effect on the number of malware encounters. Most worrying outcome is that critical industries such as Gas Utilities, Transportation Infrastructure, and Marine are among the worst industries with respect to patching.
- Significant differences exist among industries with respect to their Patching Behavior.
The 10 most-affected industries have 69%–76% of their hosts affected, while the 10 least-affected have 15%–36% of their hosts affected, highlighting that some industries, such as banks and finance-related, are definitely doing better than others. In some cases, they are doing significantly better, achieving a three times lower malware and PUP encounter rates than the most-affected industries. The best are: the Financial, Insurance, Hotels, Restaurants and Leisure industries where they patch 90% of machines in < 10 days. The worst are the Media, Healthcare, Capital Market industries where it takes more than 500 days to patch 90% of their machines.
- Common vulnerabilities were found across all enterprises with different rate.
Their analysis revealed that 1.5M servers in 11,905 enterprises have never been upgraded throughout the 2.5 years analysis period.
- Enterprise client patching is better than pathing observed in consumer computers.
They measured that it takes over 6 months on average to patch 90% of all vulnerabilities in 12 client-side applications. They used four applications, i.e. Chrome, Firefox, Thunderbird and Adobe Reader and they discovered that the first three (Chrome, Firefox, Thunderbird) reach 90% patching faster in enterprises and another three (Firefox, Thunderbird, Adobe Reader) reach 50% patching also faster in enterprises.
While a significant fraction of the enterprises is diligent in patching their servers, the rest are quite slow which means that by leaving their servers vulnerable for very long periods of time, cyber criminals may use this opportunity to attack them.
- Patching of servers is worse that patching of clients.
It takes more than nine months for 90% of the enterprise server population to be patched. Both the client and server patching show that the vulnerability window is large enough for cybercriminals to exploit them and find their way into the corporate networks. The patching of servers is overall much worse than the patching of client applications. On average a server application remains vulnerable for 7.5 months. Furthermore, it takes more than nine months for 90% of the enterprise server population to be patched.
Some of the reasons responsible for the worrying patching behavior include:
- Lack of security culture, internal capabilities (e.g. expertise, computing power) and trust (e.g. end user resistance)
- Plethora and variety of patches
- Lack of resources (Patching requires costly resources e.g. high expertise, time, computing power)
- Business Risk (additional problems may be introduced in the business operations).