Vulnerability Management Blog

Just Say Naive "Just Patch" Advice

I got a chance to watch Dave Chappelle’s latest comedy special this weekend, and among the hour-long show’s bits was one that ridiculed Nancy Reagan’s 1980’s advice for drug addiction:  “Just Say No.” The First Lady’s bumper-sticker prescription to a massive public health and crime epidemic completely trivialized the complexity of the challenge, and Dave Chappelle’s bit drove that home.

I’m reminded of this kind of bubble-gum-wrapper wisdom every time I hear security “experts” casually dispense “just patch” advice to IT teams.  And, just last week, an employee of a prominent vulnerability management vendor did just that again in Dark Reading’s First Bluekeep Exploit Found in the Wild (November 4, 2019).  To wit: 

"...there are over 700,000 vulnerable systems that are publicly accessible, including over 100,000 in the United States alone. The risks here cannot be overstated — organizations must patch their systems immediately," says {name and company withheld to protect the guilty}.

What makes this particular episode of the “just patch” comedy series so egregiously cliche’ is that many of the hundreds of thousands of devices most vulnerable to BlueKeep are in hospitals and other healthcare organizations (70% of the devices in healthcare organizations will be running unsupported Windows operating systems by January 2020).  Apparently unbeknownst to the quoted “expert” in the article is that patching devices in the healthcare environment is particularly challenging.  

Simply building and maintaining an accurate medical device inventory is virtually impossible for most healthcare facilities.  Devices are often added to the network without formal ingress processes. Device scanners have difficulty identifying medical devices, and most go unidentified.  Devices can be difficult to locate - many, like infusion pumps, are mobile - and rarely tracked accurately (we’ve heard stories of nurses hiding infusion pumps in closets surreptitiously to assure they have access to a reliable device when absolutely necessary).  Software upgrades must be installed on many assets at the device (not remotely), and the organization responsible for the patching effort can vary from the clinical engineering team, to the security/IT team, to the vendor (managing basic patching workflow details is an issue in many facilities).  And, needless to say, some mission critical equipment in the healthcare environment can’t be brought off-line without regard to the health and safety of patients.

The point?  

A wanton disregard for the operational realities of enterprises across industries - this healthcare example is just one of many - has plagued the vulnerability management vendor community for years.  This “just patch” knee-jerk response to any exploit news is the result of laziness and complacency, and an abject lack of innovative spirit in vulnerability management. “Just patch” needs to be replaced with “just patch only what is absolutely necessary to minimize the risk of compromise.”  To know what absolutely, positively has to be patched, and differentiate that from all other assets, requires a substantially more sophisticated approach to vulnerability detection and prioritization than legacy vendors have offered for 2 decades.

If you don’t believe me, just ask Dave Chappelle. 

Most Recent Related Stories

Machine Learning, Penetration Testing, and Your Most Hackable Assets

Read More

Criminal Sentencing, William F. Buckley, and Modern Vulnerability Prioritization

Read More

Why Are We Still Worrying About Vulnerabilities?

Read More