More is the word of the day: more software with more flaws that can be exploited by more attackers. In March and April, multiple events left cybersecurity teams scrambling to address real and potential attacks:
- March 6, 2017 – The Apache Foundation announces a previously undiscovered flaw in one of the most commonly used web application frameworks, Struts 2. The vulnerability dates to 2012. Two weeks later, several variations of the new attack vector are announced.
- April 06, 2017 – The first public reporting of a Struts 2 attack when malicious hackers use the new exploit to deliver ransomware targeting Windows servers.
- April 18, 2017 – Oracle announces the largest quarterly Critical Patch Update in the company’s history – 299 patches cover a variety of vulnerabilities including some known for years.
- April 27, 2017 – Verizon’s 10th annual breach report states that healthcare is the second most attacked sector and that successful ransomware attacks doubled in 2016.
The common threads across each of these events: flawed third-party software code and the widespread use of vulnerable code.
The Code’s the Thing
Think of an iceberg – the smallest risk is the part you see above water. The same is true of modern software, particularly web applications. The code you write is somewhere between 10% – 20% of the total software stack. The remaining 80%-90% of the stack is generally third-party code from a library or downloaded from a central repository. It may also include software provided with the platform or server. You have little to no visibility into this code and even less ability to remediate or protect against flaws – known or unknown – using traditional security tools.
One major testing vendor – Black Duck – published a report in April 2017 reinforcing just how pervasive the use of open source code has become in modern software architecture. Consider that 96% of the more than 1,000 commercial applications scanned contained open source components. The average number of unique third-party components: 147.
The same report found that 67% of applications had known open source code vulnerabilities, with an average of 27 known flaws per application. Slightly more than half of those flaws – 52% – had a “High Severity” CVSS score.
The Many Ways Open Source Flaws Can Impact You
Statistics about open source use are important, but nothing brings home the point like reality.
When the April 2017 Oracle Critical Patch Update was released, it immediately became the poster child for the security risks associated with the use of open source software components. Not only were individual organizations having to fix their own code based on third party software – so was the world’s second largest software maker.
The CPU included belated remediation for more than one dozen high-profile vulnerabilities which, in some cases, date back as far as five years. Included in these late fixes were the “celebrity superstar” vulnerabilities Apache Struts v1 and v2 as well as Apache Commons, some of the most widely used open source components.
It’s too early to know if the late April ransomware attack on Greenway Health was the result of a third-party software flaw, but open source vulnerabilities have been tied to ransomware attacks via Microsoft products, including targeted attacks against hospitals in the US and the British National Health System. Like Oracle, Microsoft has since issued patches to address the specific vulnerabilities.
This certainly begs the question: If the most sophisticated software companies on the planet cannot prevent flawed third-party code from impacting their signature products, how can an IT team at a regional or local healthcare company do so?
Ransomware Threat is Not Going Away
Greenway Health became a crime victim the same week in April that Verizon released its tenth annual Data Breach Investigation Report on 2016’s leading cyberattack trends. The headline grabber was this: The number of ransomware attacks doubled in 2016 to the point where 51% of all cyberattacks involved ransomware.
The ransomware attack against Greenway impacted access to the Electronic Health Records of 400 client organizations which had to revert to manual processing of health records. Greenway’s security team worked around the clock to try to restore access while also working to determine how the attack occurred.
This attack comes with more than obvious financial consequences. Greenway could run afoul of government regulators that view successful ransomware attacks as HIPAA violations. The HHS recently implemented the HIPAA Security Rule, which requires implementation of security measures that can help prevent the introduction of malware, including ransomware.
The new guidance from HIPAA noted that a ransomware attack does, in fact, count as a breach because “unauthorized individuals have taken possession or control of the information.”
A Two Front War
Security and Development teams are currently fighting a two-front war against non-stop attacks from hackers and, more recently, the tidal wave of software flaws being embedded in software stacks from third party components. The simplistic, popular answer to this issue is to “just write better code.” That belies reality.
The sheer number of software vulnerabilities and the ubiquitous nature of software flaws mean that the protective measures we’ve relied on for decades are now unable to provide the level of protection required. A two-year OWASP study reported that leading testing vendors found 2.3 million known vulnerabilities in applications across nearly 55,000 applications. Finding vulnerabilities is not the problem, fixing them is.
Billions of lines of new code are being written each year and as many as 50 billion new networked industrial devices – including medical devices – are expected in the next three years. It’s time for cybersecurity experts, medical professionals and business leaders to sit down to figure out how to rapidly transition to the newer technologies that automate security, are highly accurate and don’t create the side effects – like false positives – that the current set of solutions do. When that happens, ransomware and other attacks will be stopped long before they can cause harm.
John Matthew Holt is the Founder and CTO of runtime application security firm Waratek. He holds more than 60 patents related to virtualization and runtime protection.