Failing to patch known security vulnerabilities leads to a plethora of problems, as does failure to modernize. A group of hackers is exploiting flaws in web browsers which, if successful, would grant access to billions of machines.
Cybersecurity was a problem for businesses well before 2020 and the onslaught of attacks during the pandemic. COVID-19 merely highlights what CyberSec professionals have been saying for years: Security matters. While phishing schemes are still the number one concern for businesses, hackers are finding new ways to bypass security. Web browsers are the latest target of hacking groups, and according to researchers at Google, the biggest problem is failing to patch known vulnerabilities.
For example, in December 2018, a group of hackers was detected by researchers at Google. The group was looking at Microsoft’s Internet Explorer, which was shut down in 2016. But it’s a common browser, especially among businesses overdue for modernization, that hacking it would potentially provide access to billions of computers. This particular group was looking for zero-day vulnerabilities, and they were finding them. A researcher discovered an exploit being used in the wild, so Microsoft issued a patch, but in September 2019 this same group was found exploiting a similar flaw. Then in November, then January and April 2020 for a total of at least five zero-day vulnerabilities.
We’ve long talked about not rushing through projects, not forcing devs to sacrifice security and stability for getting the product to market. What good is putting out a product that breaks all the time and isn’t secure? Consumers have so many options today, especially in the IoT and tech arenas, that they won’t tolerate something that continually breaks. They’ll just stop using it. Humans are not patient, we want what we want, and we want it now. And it better be right, or we will blast you with negative reviews and tell people not to use your product. In the end, you cost the business more money by rushing through it. If you do it right the first time, you not only retain customers, but gain new ones and increase revenue.
Unfortunately for many organizations, IE is tech debt they have not figured out how to pay off yet. So this leaves patching. And patching really goes with development in that you don’t want to rush through it. Applying a patch to a specific area won’t fix the problem if that same flaw is found six lines down and not fixed. Incomplete patching or not looking to make sure that flaw isn’t somewhere else is negligence. That type of patching only requires a threat actor to change their code slightly to continue exploiting the flaw.
“In the worst case, a couple of zero-days that I discovered were an issue of the vendor fixing something on one line of code and, on literally the next line of code, the exact same type of vulnerability was still present and they didn’t bother to fix it,” says John Simpson, a vulnerability researcher at the cybersecurity firm Trend Micro. “We can all talk till we’re blue in the face but if organizations don’t have the right structure to do more than fix the precise bug reported to them, you get such a wide range of patch quality.”
Now, the other tidbit to take away from this is that if you are using any version of Internet Explorer right now, you are way behind on your modernization plan. That means updating machines, systems, processes to a much newer version. This isn’t just for security, although that plays a big role, but if you don’t modernize your business soon, you’ll fail to remain competitive. It’s time to modernize!
Security can’t wait, project development should never be rushed and modernization are essential to forward progress. Do yourself and your business a favor, do things right the first time. It’s more cost-effective, less stressful and more lucrative!