As companies increasingly digitize their businesses and automate their operations, unpatched or end-of-life software present significant cybersecurity threats.
A Ponemon Institute survey revealed that 60% of breach victims said their breach’s cause was an unpatched known vulnerability. Once considered optional, software patching has become an imperative due to the increasing frequency and costs of cyber incidents that result from these exposures. The good news is that once vulnerabilities are known, patches are routinely made available quickly. The U.S. National Institute for Standards and Technology publishes Common Vulnerabilities and Exposures (CVEs) in its National Vulnerability Database (NVD), and software providers often proactively send patches to users. In addition, insurers are becoming part of the solution by providing notification of vulnerabilities as a risk management service to complement their cyber insurance policies.
End-of-life (EOL) or unsupported software is created when the developer no longer provides patches or security updates. In addition to creating a major security vulnerability, EOL software can present legal, maintenance and compatibility issues. Upgrading EOL software can be complex and expensive, but the complexity and cost associated with a cyber incident can be much worse. As a result, it is becoming critical for organizations to invest the resources to regularly monitor, patch and update critical software to avoid the cost and repercussions of a cyber incident caused by this security gap.
Regular Patching Is Critical
According to the Check Point Cyber Security Report 2021, three out of four cyberattacks in 2020 exploited existing security vulnerabilities from 2017 or earlier, highlighting the issue of unpatched known software vulnerabilities.
Risk-scoring the vulnerabilities and prioritizing which ones to patch is a critical part of any software risk management process and can be aided by the Exploit Prediction Scoring System (EPSS), a community-driven effort to combine descriptive information about vulnerabilities with evidence of actual exploitation “in the wild.” EPSS is a probability-based ranking of CVEs that allows companies to focus effort where it provides the most value.
In addition, the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security compiles a priority list of known exploited vulnerabilities that are under active attack. This list includes more than 500 vulnerabilities, across such common software providers as Microsoft, Apple, Citrix, Cisco and Adobe that have been assigned a CVE ID, are actively exploited, and have a clear remediation available, such as a vendor-provided update.
While patching known critical vulnerabilities as soon as the patch is available is ideal, it is understood that it takes time to properly test updates and address associated compatibility or logistical issues. A best practices approach is to maintain a regular update schedule, where the latest security patches are deployed to an organization’s critical systems on a frequent (e.g. weekly) basis.
It is also worth noting that EOL or unsupported software and “out-of-warranty” hardware could be hidden in servers or in a rarely used virtual machine within an organization’s IT environment. Discovering at-risk operating systems, software and hardware can be challenging, especially if there are hundreds of devices on a network. Using a network inventory application can help continuously scan the network, identify all employee devices, servers, switches and other components, and track warranties or the age of systems. Having this inventory is an important step in planning how to migrate away from EOL hardware and software.
Improving Cyber Resilience
Keeping software up to date is an important aspect of good cyberrisk hygiene, but to successfully navigate today’s cyber threats, organizations need to develop a robust cyber resilience program as well. Important steps include:
- identifying critical business functions and assets, and assessing cybersecurity risks that could disrupt them;
- deploying tools, technologies and security measures to ensure systems, applications and data are protected;
- scanning for vulnerabilities and suspicious activities;
- developing an action plan to quickly restore normal operations after a security incident; and
- analyzing incidents and applying lessons learned to improve the resilience program.
Organizations can bolster their cyber defense posture through incident response assessments, security performance benchmarking, network vulnerability testing and attack simulations. These services and guidance are readily available from experienced vendors, often vetted by insurers. In addition, insurers are more widely offering their cyber insurance clients access to preventative services from third-party vendors in order to provide basic cybersecurity hygiene, such as multifactor authentication, endpoint protection, password management and network scanning. Companies can also strengthen their resiliency by closely examining the indemnity language in contracts with their IT vendors to assess how much risk is being retained by the vendor compared to how much is being transferred back to the company. Technology vendors will ultimately play an important role in partnering with policyholders and insurers to manage cyber risk.
In the event that a cyber incident occurs, an insurer’s incident response team of experts can help contain the damage and help restore an organization to full operations as soon as possible. In addition, partnerships between insurers and technology providers will enable more granular views of an organization’s attack surface, which will help mitigate loss in the event of a cyber incident. These partnerships will also serve to more quickly inform organizations of vulnerabilities that should be prioritized and remediated.
Building Incentives Into Cyber Insurance Coverage
Encouraging better cybersecurity habits through coverage incentives is a win-win for both policyholders and insurers. For example, an insurer may offer full coverage under its policy for a cyber incident resulting from a known vulnerability that remains unpatched during a specified grace period. After that period of time, the policy would gradually shift more of the risk to the client through coinsurance or limit reduction until the vulnerability is patched and coverage is restored in full. In this way, both the policyholder and insurer’s interests are aligned.
For most software vulnerabilities under most policies, the grace period begins as soon as the vulnerability is published in the NVD and has a patch or fix available. Under most circumstances a grace period of 45 days to find, test and deploy a patch is sufficient, even for a company with a complex IT environment. Experience has shown that a six-week time period to patch also provides time to identify compatibility issues with the patch and resolve those before deploying the patch across the organization.
As part of a comprehensive cyber resilience program, timely vulnerability patching and retiring of EOL software combined with insurers’ policy incentives and pre- and post-incident services can help organizations prevent incidents and establish resiliency during an event. As cyberrisks continue to escalate, the potentially high return on investment from these efforts is more compelling than ever.