What to do when you can’t patch – Pt 2
Author, Todd Gifford – Chief Technology Officer (CISSP)
Background, context and audience
Following on from our first “What to do when you can’t patch”, this is the second in a series of blog posts about techniques you can use when you just can’t patch a particular device or system. The posts are aimed at a ‘technical’ audience, but won’t go into lots of deep technical details, mostly as depending on your particular situation, device or system use and context, the details will likely vary. Instead, we’ll focus on some high and mid-level techniques you can use that can be adapted for your requirements. This is part 2 – please see the previous blog post HERE
What to do when you can’t patch – The network?!!!
You have to patch the network? Who knew? Well, many Security Professionals as it happens. Networks often get overlooked in patching terms, as how do they get malware? It’s just a switch, right? Or a firewall, or an access point? Well yes – but – and it’s a big but – those pieces of network equipment have all of your network traffic flowing through them. In particular, firewalls and access points are problems – as they are accessible from outside of your network, by those who would love to see if they can break in just for the sake of it, to those who could cripple your network and hold you to ransom over it.
Always ask why
Why? Closely followed by: Why, why, why, why. Crazy as it sounds, 5 Why’s is a technique (one of many) for getting to the root of an issue. Once you get to the root cause of an issue, you can either understand the challenge and correct it, or find some way of mitigating it or working around it so it doesn’t then cause a problem (like an unpatched door control system being hacked for example). For me, this is fundamental to the process of mitigating unpatched systems. Often, once you get to root cause, you may actually find you can patch the system or service, but the blocker is something easily fixed, like risk of system not coming back up, lack of paid maintenance/support subscription or just an old version of software that just hasn’t been updated, or some other easy work around (like a registry or config file change)
So why is the network such an issue?
The reason this comes into stark relief with the network is this: networking kit just, well, works most of the time and as keeping it up to date or replacing it rarely delivers any tangible business value beyond security. As we all know the majority of businesses will let security take a back seat as everything else just works.
The problem with networks is that they rarely have active or effective security monitoring that can detect when some security breach (or attempted breach) is happening, therefore, if there is one in progress, who notices? Many botnets, for example, are made using insecure home or SOHO routers with poor security – as they are easy to breach and no-one notices when someone skims some performance off the top – they just assume the network us running slow. What’s more – these devices have no third-party AV to detect such things
Patched your VPN recently?
Anything that runs code could have vulnerabilities, and they could be exploited. A quick internet search for the term ‘remote access VPN vulnerabilities’ retrieves what is technically known as ‘a lot’ of results. From all the big vendors and the smaller ones – everyone has had a vulnerability of some sort.
Out of date kit
One of the key issues we see with network security are organisations still running out of date firewalls, with remote VPN enabled. In one recent example, the firewall model in use at an organisation we visited was last offered for sale in 2013. I remember installing the same model in 2005 or so. No great shakes – but – no software patches have been available since at least 2018. That means this particular device was not eligible to be in scope for things like the self-certification version of Cyber Essentials. Forget being in compliance with PCI DSS for example.
This is the sort of issue that the ICO loves to investigate and highlight – and for good reason.
In our previous post on the subject of what to do when you can’t patch, network security was one of the methods you could potentially use to help reduce security risk for unpatched systems. With network kit however – unplugging the network cables to the ISP router from your firewall or disconnecting your WiFi Access Points would likely really annoy your users and management team.
So, what do you do when you can’t patch your network?
So what would I do with an out of date firewall and remote access VPN?
Lets’ focus in on the firewalls and VPN’s, and lets’ set some criteria to work with:
- You have a firewall which is beyond support (no software patches available)
- The remote client VPN you are using has a critical vulnerability which can easily allow an attacker to highjack a VPN session, or create their own and bypass any authentication
- Email is still on-premise and you need to be on the VPN to access it
- File serving and the main ERP system are also still hosted on internal servers
- The majority of users are currently working remotely via VPN
- You have a Cyber Essentials plus scan coming up
Firstly – let’s list some of the things NOT to do – just in case they are tempting for a quick win:
- Just open the services you need to the internet – too much of this happens as a quick fix
- Allow RDP directly onto some servers so users can access a remote desktop, or indeed their own desktops
- Allow users to use their own remote access tools in an uncontrolled way
- Just switch off the remote VPN – that is a quick way to start looking for a new job
- Nothing – whilst that seems like a viable approach – due to the level of risk, it really isn’t!
- Clearly, the obvious solution would be to update the firewall to something that is supported and just make the problem go away. If your previous attempts at getting funding for this haven’t gone anywhere – it may be time to brush up on those business case skills. Focus on Risks of not doing anything, the potential consequences (like not passing the CE+ audit your business needs in order to do work for your biggest customer) and the benefits of change
- Do you need to replace the whole firewall or just the VPN? It’s perfectly possible to switch off the remote VPN service on devices and use something else instead that sits behind the firewall (please, just not the Microsoft PPTP service…). A small Fortigate firewall appliance to handle just remote VPN can be purchased for around £1,200 for example at the time of writing. I don’t normally talk about specific technologies as there are lots of great technology options out there – but at that price point, it’s almost affordable for home use so worth a mention. This approach won’t technically get you past Cyber Essentials as the main firewall is still past its sell-by date, but it will remove the critical remote VPN vulnerability
- Have a clear plan, including end-user engagement about the planned changes, what users will need to differently. Also, explain why the changes are happening
- Implement and test with a small user group, to begin with – get feedback.
- Once the test group are comfortable, you can roll out the changes to the rest of the business
- Depending on what else the firewall is doing and how much change there is – you can also swap the whole thing out. This would always be my recommendation in this instance – it will be easier to manage, likely more reliable and will remove the legacy kit for good.
In the current times, the thought of spending cash to end up with a different way of doing the same thing (albeit, with a supported system) might be a hard sell. Focus on value, risks and benefits. If that still doesn’t fly, then it may be time to consider your options.
STOP – What about why?
Before we finish up on this – we didn’t explore the why of the situation. Why do we need to replace the firewall? Not because it’s out of date, but why do we need it in the first place?
A: It’s needed to protect and provide access to the on-premise services that particular business uses
Q: Why do you have those services on-premise?
A: That is where they have always been
Q: Have you considered moving them to the cloud?
A: No – that’s for small businesses isn’t it?
Ermmm – not really. If you follow this trail – you may end up in a place where the office isn’t needed any more, ergo having a firewall isn’t something you need either – in which case the problem just goes away.
Risk avoidance is a perfectly good security strategy – if you look at the very root of this particular situation – you may just be better off moving the business services to their cloud equivalents and dropping the need to replace the firewall ever again.
Contact us with any of your specific questions – and keep an eye out for my series of posts. I’ll provide some more detail on network security with some examples and possibly even a diagram or two.