LinkedIn
Instagram
facebook
Twitter

Support: 01242 504614

Sales: 01242 388530

phone
LinkedIn
Instagram
facebook
Twitter
Home > Client Consultancy > What to do when you can’t patch – Pt 2

What to do when you can’t patch – Pt 2

by | Oct 7, 2020 | Client Consultancy, Cyber Security, OIT Updates, Special Alerts

What to do when you can’t patch – Pt 2

Author, Todd Gifford – Chief Technology Officer (CISSP)

Background, context and audience

Following on from our first “What to do when you can’t patch”, this is the second in a series of blog posts about techniques you can use when you just can’t patch a particular device or system. The posts are aimed at a ‘technical’ audience, but won’t go into lots of deep technical details, mostly as depending on your particular situation, device or system use and context, the details will likely vary. Instead, we’ll focus on some high and mid-level techniques you can use that can be adapted for your requirements. This is part 2 – please see the previous blog post HERE

What to do when you can’t patch – The network?!!!

You have to patch the network? Who knew? Well, many Security Professionals as it happens. Networks often get overlooked in patching terms, as how do they get malware? It’s just a switch, right? Or a firewall, or an access point? Well yes – but – and it’s a big but – those pieces of network equipment have all of your network traffic flowing through them. In particular, firewalls and access points are problems – as they are accessible from outside of your network, by those who would love to see if they can break in just for the sake of it, to those who could cripple your network and hold you to ransom over it.

Always ask why

Why?  Closely followed by:  Why, why, why, why.  Crazy as it sounds, 5 Why’s is a technique (one of many) for getting to the root of an issue.  Once you get to the root cause of an issue, you can either understand the challenge and correct it, or find some way of mitigating it or working around it so it doesn’t then cause a problem (like an unpatched door control system being hacked for example).  For me, this is fundamental to the process of mitigating unpatched systems.  Often, once you get to root cause, you may actually find you can patch the system or service, but the blocker is something easily fixed, like risk of system not coming back up, lack of paid maintenance/support subscription or just an old version of software that just hasn’t been updated, or some other easy work around (like a registry or config file change)

So why is the network such an issue?

The reason this comes into stark relief with the network is this: networking kit just, well, works most of the time and as keeping it up to date or replacing it rarely delivers any tangible business value beyond security. As we all know the majority of businesses will let security take a back seat as everything else just works.

The problem with networks is that they rarely have active or effective security monitoring that can detect when some security breach (or attempted breach) is happening, therefore, if there is one in progress, who notices? Many botnets, for example, are made using insecure home or SOHO routers with poor security – as they are easy to breach and no-one notices when someone skims some performance off the top – they just assume the network us running slow. What’s more – these devices have no third-party AV to detect such things

Patched your VPN recently?

Anything that runs code could have vulnerabilities, and they could be exploited. A quick internet search for the term ‘remote access VPN vulnerabilities’ retrieves what is technically known as ‘a lot’ of results. From all the big vendors and the smaller ones – everyone has had a vulnerability of some sort.

Out of date kit

One of the key issues we see with network security are organisations still running out of date firewalls, with remote VPN enabled.  In one recent example, the firewall model in use at an organisation we visited was last offered for sale in 2013.  I remember installing the same model in 2005 or so.  No great shakes – but – no software patches have been available since at least 2018.  That means this particular device was not eligible to be in scope for things like the self-certification version of Cyber Essentials.   Forget being in compliance with PCI DSS for example.

This is the sort of issue that the ICO loves to investigate and highlight – and for good reason.

Internet risk

In our previous post on the subject of what to do when you can’t patch, network security was one of the methods you could potentially use to help reduce security risk for unpatched systems.  With network kit however – unplugging the network cables to the ISP router from your firewall or disconnecting your WiFi Access Points would likely really annoy your users and management team.

So, what do you do when you can’t patch your network?

So what would I do with an out of date firewall and remote access VPN?

Lets’ focus in on the firewalls and VPN’s, and lets’ set some criteria to work with:

  • You have a firewall which is beyond support (no software patches available)
  • The remote client VPN you are using has a critical vulnerability which can easily allow an attacker to highjack a VPN session, or create their own and bypass any authentication
  • Email is still on-premise and you need to be on the VPN to access it
  • File serving and the main ERP system are also still hosted on internal servers
  • The majority of users are currently working remotely via VPN
  • You have a Cyber Essentials plus scan coming up

Firstly – let’s list some of the things NOT to do – just in case they are tempting for a quick win:

  • Just open the services you need to the internet – too much of this happens as a quick fix
  • Allow RDP directly onto some servers so users can access a remote desktop, or indeed their own desktops
  • Allow users to use their own remote access tools in an uncontrolled way
  • Just switch off the remote VPN – that is a quick way to start looking for a new job
  • Nothing – whilst that seems like a viable approach – due to the level of risk, it really isn’t!

Suggested actions

  • Clearly, the obvious solution would be to update the firewall to something that is supported and just make the problem go away. If your previous attempts at getting funding for this haven’t gone anywhere – it may be time to brush up on those business case skills.  Focus on Risks of not doing anything, the potential consequences (like not passing the CE+ audit your business needs in order to do work for your biggest customer) and the benefits of change
  • Do you need to replace the whole firewall or just the VPN? It’s perfectly possible to switch off the remote VPN service on devices and use something else instead that sits behind the firewall (please, just not the Microsoft PPTP service…).  A small Fortigate firewall appliance to handle just remote VPN can be purchased for around £1,200 for example at the time of writing.  I don’t normally talk about specific technologies as there are lots of great technology options out there – but at that price point, it’s almost affordable for home use so worth a mention.  This approach won’t technically get you past Cyber Essentials as the main firewall is still past its sell-by date, but it will remove the critical remote VPN vulnerability
  • Have a clear plan, including end-user engagement about the planned changes, what users will need to differently. Also, explain why the changes are happening
  • Implement and test with a small user group, to begin with – get feedback.
  • Once the test group are comfortable, you can roll out the changes to the rest of the business
  • Depending on what else the firewall is doing and how much change there is – you can also swap the whole thing out. This would always be my recommendation in this instance – it will be easier to manage, likely more reliable and will remove the legacy kit for good.

In the current times, the thought of spending cash to end up with a different way of doing the same thing (albeit, with a supported system) might be a hard sell.  Focus on value, risks and benefits.  If that still doesn’t fly, then it may be time to consider your options.

STOP – What about why?

Before we finish up on this – we didn’t explore the why of the situation.  Why do we need to replace the firewall?  Not because it’s out of date, but why do we need it in the first place?

A:  It’s needed to protect and provide access to the on-premise services that particular business uses

Q:  Why do you have those services on-premise?

A:  That is where they have always been

Q:  Have you considered moving them to the cloud?

A: No – that’s for small businesses isn’t it?

Ermmm – not really.  If you follow this trail – you may end up in a place where the office isn’t needed any more, ergo having a firewall isn’t something you need either – in which case the problem just goes away.

Risk avoidance is a perfectly good security strategy – if you look at the very root of this particular situation – you may just be better off moving the business services to their cloud equivalents and dropping the need to replace the firewall ever again.

Contact us with any of your specific questions – and keep an eye out for my series of posts. I’ll provide some more detail on network security with some examples and possibly even a diagram or two.

Contact Us

GOT A QUESTION ABOUT YOUR IT SYSTEMS AND SERVICES?

Our experts are ready and waiting to help you get more out of your business. Get in touch today!

78% Average First Contact Resolution

98.8% Average Customer Satisfaction Score

Rapid Response Time

Cyber Focused Approach

Why Choose Us

why choose us

CONSULTATIVE APPROACH, ELEGANT IT SOLUTIONS

Our consultative approach enables us to get to know your business, so we can deliver elegant IT solutions that are cost-effective and in tune with your business needs.

HIGH QUALITY SERVICE, STRAIGHT TO 2ND LINE

Our UK based Service Desk goes straight to a highly qualified 2nd line support engineer, guaranteeing a quick response and resolving most issues at First Contact. That’s why we’re able to consistently achieve over 78% First Contact Resolution (FCR). This keeps staff downtime to a minimum compared to traditional 1st line slow to respond Service Desk models.

EXPERT TEAM, SEAMLESS INTEGRATIONS

Our commercially focused, highly experienced team understand the importance of seamless integration with in-house teams and delivering a consistent, high standard of service.

MEASURING SUCCESS, KPI DRIVEN

Our services are continually monitored and KPI driven. Our reporting is shared in a collaborative way, guaranteeing transparency and a focus on continued service improvement from a high-quality baseline.

FLEXIBILITY, CO-SOURCE OR OUT SOURCE SERVICES

Our Co-source and Out-source services mean we are flexible in our approach to deliver the appropriate level of support for all our customers.

CONNECTED WITH TRUSTED TECHNOLOGY

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus odio nisi, ultrices eu magna a, auctor sagittis enim. Sed ac posuere lacus. Curabitur ultricies, sem in lacinia iaculis, orci justo ornare est, ac dictum erat diam vel erat.

CONSULTATIVE APPROACH, ELEGANT IT SOLUTIONS

Our consultative approach enables us to get to know your business, so we can deliver elegant IT solutions that are cost-effective and in tune with your business needs.

EXPERT TEAM, SEAMLESS INTEGRATIONS

Our commercially focused, highly experienced team understand the importance of seamless integration with in-house teams and delivering a consistent, high standard of service.

FLEXIBILITY, CO-SOURCE OR OUT SOURCE SERVICES

Our Co-source and Out-source services mean we are flexible in our approach to deliver the appropriate level of support for all our customers.

HIGH QUALITY SERVICE, STRAIGHT TO 2ND LINE

Our UK based Service Desk goes straight to a highly qualified 2nd line support engineer, guaranteeing a quick response and resolving most issues at First Contact. That’s why we’re able to consistently achieve over 78% First Contact Resolution (FCR). This keeps staff downtime to a minimum compared to traditional 1st line slow to respond Service Desk models.

MEASURING SUCCESS, KPI DRIVEN

Our services are continually monitored and KPI driven. Our reporting is shared in a collaborative way, guaranteeing transparency and a focus on continued service improvement from a high-quality baseline.

connected with trusted technology

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus odio nisi, ultrices eu magna a, auctor sagittis enim. Sed ac posuere lacus. Curabitur ultricies, sem in lacinia iaculis, orci justo ornare est, ac dictum erat diam vel erat.

Case study

Read Case Studies

Shonga-shonga paminta Cholo neuro na ang sudems jongoloids biway thunder majubis klapeypey shonga sa tungril planggana katagalugan lulu

Testimonials

What Our Customers Say