Break Fix

David Sheidlower, Vice President, Chief Information Security & Privacy Officer, Turner Construction

It really does keep happening. Public and private security organizations insist that timely patching is essential to preventing cyber attacks. And yet, we still hear regularly of organizations attacked by a hacker exploiting a vulnerability for which a patch existed days, if not weeks, before the attack.

How can we change this? More robust vulnerability management is one answer. Automated tools are certainly another. But I would also argue that as security practitioners, we need to advocate for a dramatic shift in how IT sees a system that is not up on its patches. Too often, IT treats vulnerability management as something they do to support security requirements. We need them to see an unpatched system as broken. Because ‘break fix’ is a process they have already built into their sense of mission.

I’ll illustrate this with a car analogy. Imagine a fairly new car with the front passenger side door completely missing. The car starts and drives fine. The driver puts on a seat belt and drives it on the highway daily. Fast. In this analogy, there are human-seeking murder hornets that want nothing more than to sting a person, and they not only inhabit the area surrounding the highway, but they are capable of getting into an open car even at high speeds.

Now, you’re the person who sold the car and a maintenance contract to the driver. Imagine telling the driver the car runs great, and you can get to that door ‘issue’ in a few weeks. Imagine telling the driver their car is not broken (‘it runs, doesn’t it?’) and that you can get a new door put on as part of routine maintenance.

To leave nothing unsaid, let me unpack the analogy. The car without the door is an unpatched system. The driver is a user. The seat belt is a mitigating control. The highway is the internet (not the first time that comparison has been made), and the murder hornets are, of course, the hackers.

Take it one step further and imagine telling the driver: we’re not going to tell you when the door is missing, and regardless, drive carefully and avoid murder hornets. If you get stung, we’ll say you’re the ‘weakest link’ (you can guess how much I hate when users get called that).

Isn’t that how it works, though? Do organizations that are vulnerable to a known exploit tell the users there is a vulnerability in a system they are using while they, the organization, work to patch it? Does security awareness training acknowledge that IT can make choices that will make the user’s choices more risky?

Some of these weaknesses are legitimate limitations of vulnerability management, and some are baked into the risk management process. However, the fundamental idea that IT can consider an unpatched system as not being a broken system should change. If IT treated patching as ‘break fix’ work, it would, I believe, make it less likely that they would leave a system unpatched.