细致管理不严的风险和后果

：虽然软件补丁对企业和个人用户来说都是不方便和麻烦的，但是这些修复程序在保护现在对日常生活至关重要的计算机系统方面起着重要作用。

本月早些时候，杜塞尔多夫市一家大医院的IT系统遭到黑客袭击，一名有生命危险的妇女去世。

由于杜塞尔多夫大学诊所的系统因一次明显的勒索软件攻击而中断一周后，该急诊病人无法接受治疗。结果，这名妇女被送往20英里外的一家医院，那里的医生在一个小时内无法开始治疗。她后来死了。

为了破坏医院系统，黑客利用Citrix ADC CVE-2019-19781漏洞，攻击者可以在被黑客攻击的服务器上执行自己的代码。据黑客的勒索报告，这起“误导性”攻击原本是针对海因里希海涅大学（Heinrich Heine University）的。

Citrix于1月24日发布了针对该漏洞的补丁，但医院似乎尚未安装修复程序。

据意大利网络安全公司SecurityOpenLab称，9月9日，同样的Citrix漏洞被利用来攻击意大利眼镜巨头Luxottica集团的服务器。那次袭击迫使陆逊梯卡公司关闭了在意大利和中国的业务。

网络安全优先事项

这样的事件引发了这样一个问题：为什么软件制造商一发布修复程序，企业就不立即修补漏洞。

Point3Security战略副总裁ChloéMessdaghi告诉TechNewsWorld：“太多的组织过度依赖扫描仪来发现需要修补的内容。”。这些“只提供最基本的信息”

许多扫描仪不是最新的，也没有优先考虑问题，Messdaghi说他们无法提供可靠的观点来了解哪些是需要立即修补的关键，哪些是优先级较低但需要及时采取行动的，哪些可能风险较小。”

她指出，即使是当IT人员修补漏洞时，他们也可能无法完全测试这些补丁。

在消费者方面，用户在多个网站上使用相同的密码，或未能实施基本的网络安全措施，如安装防病毒或反恶意软件，及时更新该软件及其操作系统；避免点击嵌入的链接或附件，他们没有验证发件人的电子邮件，或者他们访问的网页上的链接。

网络安全公司Stealthbits Technologies的技术产品经理Dan Piazza告诉TechNewsWorld：“用户一次又一次证明他们会无视专家的建议，重复使用凭据，选择简单的密码。”。

美国联邦调查局（federalbureauofinvestigation）本月早些时候向金融业发出的一份私营行业通知中称，跨多个账户使用密码的现象普遍存在。

美国证券交易委员会（SEC）在9月15日发布的风险警报中称：“当个人对各种在线账户使用相同的密码或相同密码的细微变化，和/或……使用容易猜到的登录用户名，如电子邮件地址或全名，则更容易发生成功的攻击。”。

各级自我执行

长期以来，用户未能遵循简单的安全程序一直困扰着网络安全专家和供应商。

2004年，微软时任首席执行官史蒂夫·鲍尔默（Steve Ballmer）呼吁个人用户为自己的网络安全负责。2010年思科系统公司宣称网络安全是每个人的责任。

多年来，高科技和网络安全软件供应商、银行和其他组织一直试图让消费者遵守基本规则来保护自己的网络安全，但“公司现在应该假设，当涉及到证书时，用户的行为将违背他们的最大利益，并开始强制要求用户养成良好的密码和安全习惯，“秘密比特”的广场建议道。

从程序上来说，公司应该考虑使用Piazza软件来保护他们的安全，因为这是一个很好的解决方案，他们建议Piazza能够及时有效地保护他们的网络

美国国土安全部下属的美国网络安全与基础设施安全局（CISA），9月18日，该公司发布了一项紧急指令，强烈建议公共和私营部门修补Microsoft Windows Netlogon远程协议CVE-2020-1472中的一个关键漏洞，从而朝着加强漏洞修补迈出了一步。

Netlogon漏洞，微软在8月份发布了一个补丁，可能让攻击者接管受害者网络上的域控制器

CISA给公共部门的IT部门一个周末——直到9月21日午夜——安装补丁，删除无法修补的域控制器，并实施技术和管理控制。

网络安全公司Guruchul的首席执行官Saryu Nayyar告诉TechNewsWorld，“事实上，一些公共部门的系统将从裂缝中掉出来是不可避免的”即使是运行最好的环境也会有偏差。”

至于私营部门，“一些组织很可能会权衡组织成本，并基于假定的风险或资源担忧推迟执行该指令，”Nayyar补充道。私营公司可能被迫修补Windows Netlogon漏洞。

Stealthbits Technologies的安全研究员Joe Dibley告诉TechNewsWorld，微软将于2021年2月9日开始实施新的设置，以提高Netlogon远程协议的安全性。这个缺陷必须先修补一下。

公司责任

托管安全服务提供商Cerberus Sentinel解决方案体系结构副总裁Chris Clements告诉TechNewsWorld：“几乎所有组织都有确保其Windows系统自动及时收到修补程序的流程和程序，但很少有组织有针对其环境中任何其他产品的策略。”网络设备打补丁的状况往往令人憎恶，仅仅是因为责任没有明确界定。”

Juniper威胁实验室的负责人Mounir Hahad告诉TechNewsWorld，也就是说，公司“绝对可以为自己的网络安全承担更多的责任。”。

专业网络服务公司和会计师事务所毕马威（KPMG）今年5月对全美1000人进行的一项在线调查发现，在消费者方面，用户对网络安全只是口头上说说而已。

调查显示，约75%的受访者认为对多个账户使用同一密码、使用公共WiFi、或将一张卡保存到网站或在线商店都有风险，但超过40%的受访者会这样做。

“当涉及到网络安全时，消费者是他们自己的最后一道防线，”Stealthbits的Piazza评论道尽管企业和政府有责任保护其拥有的敏感数据，但最终消费者可以通过自己遵循网络安全最佳实践来确保其数字福祉。”

“当新的安全功能被添加到一个网站或软件中时，用户通常只有在没有受到任何阻碍的情况下，或者如果他们能看到一个直接的、切实的好处，他们才可以接受这些功能。

Piazza说：“大多数个人网络安全的最佳实践都不会给消费者带来强大、直接的激励因素，除非他们着眼于全局。”。

Juniper'sHahad认为，消费者不应受到责备。”网络安全专业人士希望争取消费者的帮助，限制或减轻网络安全风险，但我们不能让他们对他们不理解的事情负责。”。

他认为，企业有责任为自己和消费者确保网络安全。

密码标准更高

哈哈德说：“我们希望消费者不要保留默认密码，但我们更希望公司不要让默认密码持续存在。”。

“我们可以要求消费者选择更强的密码，但我们宁愿让服务机构拒绝弱密码。他解释说：“我们可以要求消费者不要重复使用密码，但我们更希望有一个财团来检查密码是否被跨网站或服务重用。”。

Piazza评论说，解决这一问题的一种方法是通过设计实现隐私，这是设计软件、网站和服务时的新常态。

“虽然不能从法律上强制消费者遵循安全最佳实践，但政府法规将迫使组织采用更好的保护措施，这反过来将导致围绕用户密码选择、多因素身份验证的使用以及消费者授权工作流程的其他方面实施更严格的政策，”他总结道。

原文题：The Risks and Consequences of Lax Patch Management

原文：Although software patches can be inconvenient and cumbersome for both enterprises and individual users, these fixes serve an important role in protecting computer systems which are now vital to everyday life.

Earlier this month, a woman with a life-threatening condition passed away after hackers crashed the IT systems of a major hospital in the city of Dusseldorf.

The emergency patient could not be admitted for treatment because the Duesseldorf University Clinic could not access data after its systems had been disrupted for a week by an apparent ransomware attack. As a result, the woman was sent to a hospital 20 miles away where doctors were not able to begin treatment for another hour. She subsequently died.

To sabotage the hospital systems, the hackers exploited a Citrix ADC CVE-2019-19781 vulnerability which can let attackers execute their own code on hacked servers. The "misdirected" attack reportedly was originally intended for Heinrich Heine University, according to an extortion note from the hackers.

Citrix issued a patch for the vulnerability on January 24, but it appears that the hospital had not yet installed the fix.

The same Citrix vulnerability was exploited September 9 to attack the servers of Italian eyewear giant Luxottica Group, according to Italian cybersecurity firm SecurityOpenLab. That attack forced Luxottica to shut down operations in Italy and China.

Cybersecurity Priorities

Incidents like this raise the question of why corporations do not patch vulnerabilities as soon as software manufacturers issue a fix.

"Too many organizations are overly dependent on scanners to discover what needs to be patched," Chloé Messdaghi, VP of Strategy at Point3 Security, told TechNewsWorld. These "provide only the extreme bare minimum of information."

Many scanners are not up to date, and don't prioritize issues, Messdaghi said. "They can't provide a trustworthy view into what's critical to patch immediately, what may be a lower priority but requires timely action, and what may have less risk."

Even when IT staff patch vulnerabilities, they may not fully test those patches, she pointed out.

On the consumer side, users employ the same passwords on multiple sites, or fail to implement basic cybersecurity measures such as installing antivirus or antimalware software, updating that software and their operating systems in a timely manner; and refraining from clicking on links embedded in, or attachments to, emails whose sender they have not verified, or links on web pages they visit.

"Time and again, users have proven they'll disregard expert advice, reuse credentials, and select simple passwords," Dan Piazza, Technical Product Manager at cybersecurity firm Stealthbits Technologies, told TechNewsWorld.

Using passwords across multiple accounts is widespread, the United States Federal Bureau of Investigation stated in a private industry notification to the financial sector earlier this month.

"Successful attacks occur more often when individuals use the same password or minor variations of the same password for various online accounts, and/or...use login usernames that are easily guessed, such as email addresses or full names," the U.S. Securities and Exchange Commission said in a risk alert issued on September 15.

Self-Enforcement at Every Level

Users' failure to follow simple security procedures has long vexed cybersecurity experts and vendors.

In 2004, Microsoft's then-CEO Steve Ballmer called on individual users to take responsibility for their own cybersecurity. In 2010 Cisco Systems asserted that cybersecurity is everyone's responsibility.

High-tech and cybersecurity software vendors, banks and other organizations have been trying to get consumers to follow basic rules to protect their cybersecurity for years, but "Companies should now assume users will act against their best interests when it comes to credentials, and start forcing good habits for passwords and security," Stealthbits' Piazza advised.

Piazza recommended that firms trying to protect their networks against breaches consider real-time threat detection and response solutions, and password policy enforcement software, because "Convincing users to adhere to credential best practices is an uphill battle, so companies should start forcing good habits programmatically."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, on September 18 took a step toward enforcing vulnerability patching when it released an emergency directive strongly recommending both the public and private sectors patch a critical vulnerability in Microsoft Windows Netlogon Remote Protocol called CVE-2020-1472.

The Netlogon vulnerability, for which Microsoft issued a patch in August could let attackers take over domain controllers on a victim's network.

CISA gave public sector IT departments the weekend -- until midnight September 21 -- to install the patch, remove domain controllers that could not be patched, and implement technical and management controls.

It's "virtually inevitable" that some public sector systems will fall through the cracks, Saryu Nayyar, CEO of cybersecurity firm Gurucul told TechNewsWorld. "Even the best run environments have strays."

As for the private sector, "It's likely that some organizations will weigh the organizational costs and delay addressing this directive based on assumed risk or resource concerns," Nayyar added. Private companies may be forced to patch the Windows Netlogon flaw.

On February 9, 2021, Microsoft will begin to enforce new settings that will improve the security of the Netlogon Remote Protocol, Joe Dibley, security researcher at Stealthbits Technologies, told TechNewsWorld. The flaw will have to be patched first.

Corporate Responsibility

"Nearly all organizations have processes and procedures for ensuring their Windows systems received patches in an automated and timely matter, but very few have strategies for any other products in their environment," Chris Clements, VP of Solutions Architecture with managed security services provider Cerberus Sentinel, told TechNewsWorld. "The state of patching for network appliances is often abhorrent, simply because the responsibility hasn't been clearly defined."

That said, corporations "can absolutely be made to take more responsibility for their own cybersecurity," Mounir Hahad, head of Juniper Threat Labs, told TechNewsWorld.

On the consumer side, users pay lip service to cybersecurity, an online survey of 1,000 people across the U.S. conducted in May by professional network services and accounting firm KPMG found.

About 75 percent of the respondents consider it risky to use the same password for multiple accounts, use pubic WiFi, or save a card to a website or online store, but more than 40 percent do these things, according to the survey.

"Consumers are their own last line of defense when it comes to cybersecurity," Stealthbits' Piazza remarked. "Although businesses and governments have a responsibility to protect sensitive data in their possession, ultimately consumers can ensure their digital well-being by following cybersecurity best practices themselves."

"When new security features are added to a website or software, users are typically only OK with them if they're not impeded in any way, or if they can see an immediate, tangible benefit.

"Most best practices for personal cybersecurity don't come with strong, immediate motivating factors for consumers unless they look at the big picture," Piazza said.

The consumer is not to blame, Juniper's Hahad contends. "Cybersecurity professionals would like to enlist the help of consumers in limiting or mitigating cybersecurity risk, but we cannot hold them responsible for things they do not understand," he said.

The onus, in his view, is on businesses to ensure cybersecurity, for themselves and consumers.

Higher Standards for Passwords

"We would like consumers not to keep default passwords, but we'd rather require companies not to allow default passwords to persist," Hahad said.

"We can ask consumers to choose stronger passwords, but we'd rather have services refuse a weak password. We can ask consumers to not reuse passwords, but we'd rather have a consortium checking passwords are not being reused across sites or services," he explained.

One way around this is to implement privacy by design, which is the new normal when designing software, websites and services, Piazza commented.

"While consumers can't be legally forced to follow security best practices, government regulations will force organizations to employ better safeguards, which in turn will result in more enforced policies surrounding user password selection, the use of multifactor authentication, and other aspects of the consumer authorization workflow," he concluded.

作者：Richard Adhikari

原文网站：https://www.technewsworld.com/story/86863.html