Craig Explains Why companies believe that they are Completely Patched up and Why it means more than your Operating System.
For more tech tips, news, and updates visit – CraigPeterson.com
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] Hey, do you have a 99% patch rate? Gonna talk right now about why that is a load of UMHUM in every case that I’ve ever seen?
Craig Peterson here and here we go.
Hey everybody. Thanks for joining me today. this is something that I don’t know if I can ever repeat enough, but I want to take a little bit of a different angle on this than I have before. Most of us know that we’re supposed to patch. What do we patch? What are we using? You might turn on automatic updates on windows. You might have those turned on MacOS, of course, on your iOS devices. Maybe you’ve got an Android device it’s less than two years old and still gets updates so you have that turned on. Here’s the problem. I have yet to walk into a business that doesn’t say that they have just a phenomenal patch rate.
You know, so for instance, you’ll walk in there and you say, how good are you guys at keeping up on patches? Almost every last one of them says, yeah, almost a hundred. We’re probably 99, 98% of the patches are up to date and we’re just phenomenal. We’re safe. Yeah, we’re safe. don’t worry about us. Yeah, we’re safe. Don’t worry about it.
I’ve been in a couple of businesses and said that and then, they got nailed something awful and they were too embarrassed to call me back. When I talked to them later on, I found out what had really happened with them.
Many people and many businesses are focused on that patch rate and that kind of makes sense. We have to make sure the patches are done, particularly the critical patches. But why is it that I go into a business and every business says, yeah, we’re patched up. it might not be a hundred percent, but we’re patched up. Every business says that.
Yet I always find critical vulnerabilities when I poke around. When I do a scan. When we do these paid assessments to come up with an action plan for businesses. We scan their systems, which means their workstations, it also of course means there are servers and maybe other devices that are out there. I have never scanned a device that did not contain a critical vulnerability.
Where’s the disconnect? Why are businesses and people saying, yeah, we have this 99% patch rate? Yet I am continually finding major problems. It has to do with what’s being patched. People are not patching the right thing. So let’s look at a couple of different things here.
First of all. When we’re talking about workstations, desktops, laptops. Here are the four types of software that are attacked the most. Number one internet browser add-ins. How many of us have extensions on our browsers? Some of those extensions are in fact, malicious themselves. Internet browsers.
Another big attack vector is operating systems. Of course, all of our office applications, all of our productivity stuff, software like I’m using right now for the radio show. All of this stuff gets attacked. But when we’re talking about a 99% patch rate yeah. We’re pretty much all patched up. What they’re almost all always thinking about and talking about is patching the operating system and that’s where things end.
Now on the server-side, when we go into businesses, we’re finding the webserver software, the database server, the operating systems on those servers, the remote server management stuff, like RDP, the active directory. Those are what is always being attacked. So why the disconnect? It’s because it’s difficult to patch everything.
Microsoft, I already mentioned has the ability to automatically install updates. In fact, if you don’t have the business versions, the enterprise versions of Windows, professional, you’re forced to do updates. You don’t even get to say when you want those updates to happen. If you’re running iOS, on your iPhone, on your iPad, again, updates just happen automatically.
But how about all of those apps? If you’re getting those apps on your mobile devices, from the stores, like the Google play store or the Apple store, you were probably getting updates for your applications. If you’re not getting them from there, you’re probably not getting updates.
So not patching the right thing is a very big deal. I wanted to talk right now about one specific thing that people are not patching. Frankly, that is our web server. You’ve got a website, right? If you’re a business, any size business, you’ve got a website. You have to have a website. You have to get the message out.
Now, of course, you can have some emails from other things too, but we’re going to focus on one thing right now, the website. Hackers are actively exploiting right now, a vulnerability in a WordPress plugin. Now, I mentioned our browser plugins are the extensions for our browsers and how those can be hacked in many cases.
It’s another vector, obviously for the bad guys to get on to our computers and really start messing around. in this case, we’re talking about WordPress web server, which is the number one most popular web server out there, WordPress and there are more than 700,000 active installations of this. We are using it for our own little websites for our families, We’re using it for our businesses. We’re using it for our associations or organizations. This particular file manager plugin, which extends features for WordPress allows bad guys to run command and malicious software things, like scripts whenever they want to. Now, how many people are keeping their WordPress installation up to date.
Are you keeping your flash UpToDate? Are you keeping your other Adobe software up to date? How about all of the other software you’re running on your computers? I look at this computer and it’s just astounding how much software I have installed here on my Mac that I use all the time.
So the attackers are using this exploit to upload files that have these shell scripts in them that are hidden in an image. Makes it even harder for you to find.
So we have to be very careful. We don’t know the impact of all of this yet. It’s probably pretty bad. There are some companies that are blocking it. We block it as well, but we’re talking about millions of exploit attempts.
Over the course of the last couple of weeks, that is pretty bad. And we’re only seen about half of the sites out there. The WordPress sites actually patched up. So make sure you do the update. You have to inventory everything you have. Everything your enterprise uses. What software do you have? What is it installed on? Is it up to date?
Don’t just Willy nilly, allow people to install software on their computers, and don’t do it yourself either. Every time you install software, you open up another potential way for bad guys to get in. Its something else you have to track. It’s something else you have to inventory. It’s something else you have to update. You have to upgrade.
People are just downloading stuff, Willy nilly. And remember what was the very first thing I said, that’s attacked frequently internet browser, add-ins. That means internet browser add-ins means that those wonderful little bars that people install on their browsers are, yeah, those are malicious much of the time. At the very least, they are providing something called adware that’s tracking, where you’re going. Sometimes it replaces the ads on the website shows you stuff. It clicks through to these not clickbait sites, but click through to make them money on ads that they’re running.
It’s bad. We can’t do it now. I wish we had more time. All right.
Your listening to Craig Peterson.
Stick around because when we get back, we’re going to talk about an Apple problem with security this time.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: