Upgrades or lack there of, a major concern for information security operations

Systems and network administration is an endless balancing act.  On the one hand, availability, stability and performance are paramount concerns, while adding functionality and security are less well understood demands outside the IT organization.  Everyone has felt the wrath of the business side when a simple, benign ‘upgrade’ shut down critical applications or network segments for hours on end.  And with today’s large-scale enterprise data stores, a major shared SQL or distributed database can take the better part of a day to rollback and restart.

Plus, there is the resistance of the business operations leadership to roll out major upgrades in critical infrastructure due to cost, disruption and training issues.  Often, then, we find operating systems, web browsers and other critical pieces of the desktop computer environment running versions that are multiple updates behind.

Every now and then, it becomes apparent that this can be a false economy.  The maintenance of stability and availability in exchange for higher risk of security vulnerabilities is a classic Faustian bargain.  Just this week, we saw two glaring examples of the risk of keeping older versions of critical software in production past their useful lifespan.

In a classic “watering hole” attack on US nuclear weapons workers, malicious code was introduced into servers at the Department of Labor that utilized a zero-day vulnerability in Internet Explorer 8 to install the “Poison Ivy” backdoor trojan.  To make matters worse, in this case Poison Ivy had been modified so that it was only detectable by 2 out of 46 major anti-virus programs.  One of the keys to this attack is that the vulnerability only existed on IE 8.  Not only were newer versions unaffected, but IE 6 and 7 were similarly not vulnerable.  So the diligent Admin who, faced with a workforce still using Windows XP who had done the right thing and upgraded to the latest available browser, IE 8, found his systems to be suddenly at risk of infection by a virulent piece of malware.

The second example illuminates a different kind of obsolescence.  Using a previously unknown vulnerability in the Cold Fusion web server/content management platform, attackers were able to gain access to critical customer information at the server hosting company Linode. There are indications that the Linode network was compromised for weeks before discovery.

Cold Fusion represents the potential risks of evolution and attrition in the server marketplace.  Ten years ago CF was a major website development and deployment platform, but as other, often open platforms have gained prominence, the earlier generation of proprietary systems like Cold Fusion have lost significant market share.  And as that happens, it is very common that the vendor’s investment in those aging, declining products is also reduced.  In the case of Cold Fusion, there has not been significant development work since 2009, and yet many large organizations, including government agencies and institutions, have continued to use the platform due to their large investment and institutional expertise.  But without ongoing development and a thriving user community, vulnerabilities can be discovered and quietly exploited over longer periods of time than for other, more modern products.

The lesson here is not a new one – keep all your systems upgraded and patched to reduce exposure to exploits and vulnerabilities.  Think of it more as a reminder of the critical nature of keeping your network and desktop infrastructure current.  But there’s also a reality check – we build and maintain our networks in response to more than just optimal technological imperatives.  And sometimes that causes us to make decisions that increase the vulnerability of our systems, servers, users and customers.  That’s why it is critical that the security infrastructure includes the analytics and intelligence to detect these attacks in real time without waiting for a signature or a patch.  In the absence of “perfect” security, there really is no option but to accept that some attacks are going to be successful, and we have to have a way to detect them before major damage is done.