Once again, we have a story about hackers exploiting a known flaw in a business environment. (See Here) This time it is a previously patched flaw in the SaltStack software. As with most of these attacks, it is unclear why the patch had not been applied nor is it clear how much damage was caused to either of the companies identified in the reports but what should be clear is how dreadfully important patching is and will remain. This attack comes not long after the prior hacks against Cisco and Citrix. (See Here) Everyone is afraid of zero-day attacks but the cold reality is that it doesn’t take a zero-day to gain access into many networks. So why are things not getting patched? I believe one of the main issues remains the size and breadth of enterprise environments and, therefore, the difficulty in tracking the versions of all the software installed on servers, workstations, and network equipment. This is not going to get any easier. As we add more devices on our networks in the form of IoT devices and more remote operating software, the attack surface only grows. This is why many companies are looking for software that helps them just manage the existing infrastructure and try to get their arms around the configuration management of what systems they already have.
I often say that since i was the youngest of my siblings, I learned more from watching the older brothers getting in trouble than from my own experiences. I think enterprises have the same opportunity – learn from what causes others to fail or falter. I would also encourage companies that have been exploited to be more open about what caused the failure to begin with. I know most companies do not disclose for a variety of reasons, including possible reputational damage or legal repercussions but I agree with a recent article from the Harvard Business Review that says we need to come up with a standard Cyber Reporting criteria (See Here). Even when these attacks are reported, the report is often very diluted and almost unusable by other companies. The other option is to better fund the Information Sharing and Analysis Center (See Here) and incentivize this sharing. The only way we start getting better at Cyber Risk is to get better at Cyber information sharing.