PATCHING ISN’T WORKING AND END-USERS IGNORE BREACHES, SAYS EX-NSA SECURITY VP DAVID VENABLE
Venable worked as an intelligence officer for the NSA for six years David Venable, VP of cyber security at network provider and security firm Masergy, thinks that the world’s approach to patching is broken, and the evidence – data leaks and exploits like WannaCry – speaks for itself. “For a long time I thought [patching] worked,” Venable tells us, “but then a lot of people weren’t doing it well. One month we had the EternalBlue patch, then ShadowBrokers released the exploit. A month later we had WannaCry, which exploited the patch that had been released two months before. Later, NotPetya used the same vulnerability and still affected many people and had a global impact.” Venable has 18 years of experience in cyber security, including six years working for the NSA. He says that a big problem in patching is disruption, and that holds firms back from deploying software updates: “Patching is not hard on a small level, but in massive organisations it becomes a fairly difficult process, although one that has been solved for years and years. It’s basic hygiene, but no-one seems to be doing it. “People want to make sure that there’s no impact on them – but we’re talking several months, in this case, and there’s no reason why. This is a fairly typical scenario.”
Finding a solution is difficult. Vendors can force users to apply patches but that is invasive, and not particularly viable in cases where the vendor doesn’t own the systems. Issues with buggy patches, like the Spectre and Meltdown updates, also make this undesirable. Venable would prefer the industry to take a route where systems are certified, making vendors liable for vulnerabilities instead. He told us: “If I put together a car, I couldn’t just take it on the road – it would need certifying for safety. If I did [drive it], there would be some liability. I suspect we’re going to end up with something similar for equipment going out on the internet. We’ll see software companies becoming more liable for their products and some sort of certification for their software. “I’d like to see certification come from the tech industry,” he added, “but if it doesn’t then I think we’re going to see legislation [from the government] instead, which doesn’t make much sense and is difficult to enforce in other countries.” Weak patching procedures mean that data breaches are inevitable, but Venable thinks that the reputational damage has become much less of a threat than it used to be. “People hear about this stuff so much that it starts to lose its impact… If there’s a major breach, people are up in arms about it for a few weeks – but then it vanishes. I haven’t heard anything about Equifax in months. It’s the same with Target and Home Depot – everyone still shops there. “Obviously no company wants this to happen, but the impact has changed.” The GDPR will be a “very positive shift” in terms of privacy. Venable believes that it could bring some of that missing liability to the tech market.